MISSOURI HEALTH INFORMATION SECURITY AND PRIVACY COLLABORATIVE 


NOTE: Below is a chart comparing Missouri law to HIPAA for preemption purposes. The chart includes a brief description of each 
Missouri statute or regulation, references the applicable HIPAA provisions, indicates whether there is a conflict between Missouri law 
and HIPAA as well as which law governs, and provides commentary regarding the analysis. The final column indicates the implications 
for electronic health information exchange (HIE). Generally, the majority of the Missouri statutes and regulations listed below do not 
specifically address electronic HIE. To the extent the laws create barriers to HIE (such as requiring a court or administrative order for 


the release of records), they generally will cause such barriers regardless of whether the HIE is electronic or otherwise. 


instances, however, electronic records are addressed in the last column. 


In a few 








Missouri Statute 


Investigative Subpoenas 
§56.085 


In the course of a 
criminal investigation, 
the prosecuting or circuit 
attorney may request a 
judge to issue an 
investigative subpoena 
for oral examination or 
production of documents. 





HIPAA Privacy Regulations 


Law Enforcement Purposes 
§164.512(f) 
e CEs may disclose PHI in 


compliance with a court 
order, court-ordered 
watrant, subpoena or 
summons issued by a 
judicial officer, grand jury 
subpoena or, if certain 
requirements are met, an 
administrative request. 





Con- 
flict? 


Yes 





State Law 
or HIPAA? 


State 





Discussion and 
Conclusion 


e Investigative 
subpoenas have the 
same effect under 
Missouri law as any 
other similar 
subpoena. 

e Absent specific 
statutory authority 
under state law to 
disclose privileged 
information in 
response to a 
subpoena, CEs may 
not disclose such 
information, even if 
requested by a 
subpoena, without a 
patient waiver or a 
court/administrative 
order. Ingram v. 





Implications for 
Electronic HIE 


e None 
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(W.D.Mo. 2001). 

e Some CEs may 
consider a subpoena 
signed by a judge to 
be a court order and 
others may not and 
some may consider a 
subpoena signed by 
an attorney to be a 
court order while 
others may not. 





Missouri Statute HIPAA Privacy Regulations | Con- | State Law | Discussion and Implications for 
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Mutual of Omaha, 
170 F.Supp.2d 907 





1664508.6 


*This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal 


and enforceable in accordance with the law per RSMo. §432.230. 


Reporting of Deaths and As Required by Law No State e CEs may report e None 
Inquiry about Cause of §164.512(a) deaths and provide 
Death e CEs may use or disclose relevant information 
§§58.451, 58.452, 58.720 PHI without giving the as part of an inquiry 
and 58.722 individual the opportunity by the coroner or 
e Specified individuals are to agree or object and medical examiner 
required to report certain without an authorization if without violating 
deaths, including deaths it is required by law and is HIPAA because 
of children under age limited to the disclosure of PHI 
eighteen to the coroner. requirements of such law. assists coroners or 
e The coroner or medical medical examiners 
examiner is required to Coroners and Medical in fulfilling their 
make inquiry into the Examiners statutory duties of 
cause and manner of §164.512(g) identifying the cause 
death (by implication e CEs may disclose PHI to of death and is 
includes examination of the coroner or medical required by law. 
2 








Missouri Statute 


HIPAA Privacy Regulations 


Con- 
flict? 


State Law 
or HIPAA? 


Discussion and 
Conclusion 


Implications for 
Electronic HIE 











medical records). 


Immunizations 

§§$167.181 and 167.183 

e A record of immunization 
must be prepared by 
school superintendent for 
each student showing 
immunization status and 
such records may be 
disclosed and exchanged 
to the following to assure 
compliance with state 
statutes: employees of 
public agencies, 
departments and political 
subdivisions; health 
records staff of school 
districts; child care 
facilities; health care 
professionals; and those 
entrusted with regular 








examiner for purposes of 
identifying the deceased 
and the cause of death. 

e CEs may use PHI for the 
same purposes if they are 
acting as the coroner or 
medical examiner in a 
given situation. 


Public Health Activities 
§164.512(b)(1)(i) 


e CEs may disclose PHI to a 


public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 


As Required by Law 
§164.512(a) 

e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 


without an authorization if 


it is required by law and is 
limited to the 
requirements of such law. 














State 








e CEs may disclose 
immunization records 
to employees of 
public agencies, 
departments and 
political subdivisions; 
health records staff of 
school districts; child 
care facilities; health 
care professionals; 
and those entrusted 
with regular care of 
those under care and 
custody of state 
agency without 
violating HIPAA 
because it is a 
permissible public 
health activity. 








e None 
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flict? | or HIPAA? | Conclusion Electronic HIE 
care of those under care | Health Oversight Activities No State e CEs may disclose 
and custody of state §164.512(d) PHI to the above 
agency. e CEs may disclose PHI to listed individuals 
public health oversight and entities to 
agencies for oversight comply with state 
activities authorized by statutes. 
law. 
Reporting of Abortions 
§§188.052 and 188.055 
e §188.052 Abortion Preemption Exception No State e CEs may report 
reports and abortion §160.203(c) abortions and their 
complication reports, e Generally, HIPAA complications 
which contain health preempts contrary state pursuant to state law 
information, must be laws. without violating 
submitted to DHSS. e@ One exception to that rule HIPAA because 
is when the state law such reports are 
provides for the reporting exempted from 
of disease or injury, child preemption and their 
abuse, birth or death, or disclosure is 
for the conduct of public required by law and 
health surveillance, is a permissible 
investigation or public health 
intervention. activity. 
As Required by Law 
§164.512(a) 
e CEs may use or disclose 
4 
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PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
§188.055 TPO Yes HIPAA e Because the 
e Information obtained by | §164.506 disclosure of PHI by 
a physician, hospital or e CEs may use and disclose CEs that are direct 
abortion facility from a PHI for treatment, treatment providers 
patient for the purpose of payment and health care for TPO under 
preparing reports to operations. HIPAA requires 


DHSS and the 
information included in 
the reports received by 
DHSS is confidential. 


e Such information may 
generally be used only 
for statistical purposes. 





Notice of Privacy Practices 

§164.520(c) 

e CEs that are direct 
treatment providers must 
provide the NPP to their 
patients and attempt to 
obtain a written 
acknowledgment of 
receipt of the NPP. 











compliance with the 
requirements for the 
HIPAA NPP 
acknowledgment, 
HIPAA is more 
stringent than state 
law. 

e Thus, CEs that are 
direct treatment 
providers may use 
abortion information 
for statistical 
purposes (health 
care operations) only 
if they comply with 
the more stringent 
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disclosed as part of an 
inspection for public 
health purposes. 








§164.512(b)(1)() 

e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 











abortion information 
to public health 
authorities for public 
health purposes 
pursuant to state law 
without violating 
HIPAA because it is 
a permissible public 
health activity. 
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requirements for the 
HIPAA NPP 
acknowledgment. 
e Such information may be | Public Health Activities No State e CEs may disclose 





Licensure: Emergency Health Oversight Activities No State e CEs may disclose 
Services §164.512(d) PHI to DHSS under 
§190.175.4 e CEs may disclose PHI to a State licensing 
e Anambulance service public health oversight inspection without 
licensee or emergency agencies for oversight violating HIPAA 
medical response agency activities authorized by because it is a 
licensee must make law, including audits, permissible health 
records available for investigations, oversight activity. 
inspection by DHSS. inspections, licensure etc. 
As Required by Law 
§164.512(a) 
e CEs may use or disclose 
6 
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PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
Data Collection Law Preemption Exception No State e CEs may report data 
§190.176 §160.203(c) to DHSS pursuant to 
e DHSS shall develop and |e Generally, HIPAA the data collection 
administer a uniform data preempts contrary state law without 
collection system on all laws. violating HIPAA 
ambulance runs and e@ One exception to that rule because such reports 
injured patients. is when the state law are exempted from 
e Hospitals are not provides for the reporting preemption and their 
required to disclose of disease or injury, child disclosure is 
certain data. abuse, birth or death, or required by law and 
for the conduct of public is a permissible 
health surveillance, public health 
investigation or activity. 
intervention. 
As Required by Law 
§164.512(a) 
e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
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Missouri Statute 


HIPAA Privacy Regulations 


Con- 
flict? 


State Law 
or HIPAA? 


Discussion and 
Conclusion 


Implications for 
Electronic HIE 





limited to the 
requirements of such law. 


Public Health Activities 
§164.512(b)(1)(i) 


CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 








Licensure: Peer Review 
Systems of Trauma 
Centers 

§190.245 


Hospitals designated as 
trauma centers are 
required to implement a 
peer review system for 
trauma patients and 
DHSS has licensing 
authority necessary to 
ensure compliance. 
DHSS may only use the 
records to implement 
such statutes and may not 
re-disclose the PHI. 





Health Oversight Activities 
§164.512(d) 


CEs may disclose PHI to 
public health oversight 
agencies for oversight 
activities authorized by 
law, including audits, 
investigations, 
inspections, licensure etc. 


As Required by Law 
§164.512(a) 


CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 








State 





e CEs such as trauma 
centers may disclose 
PHI to DHSS as part 
of the licensing 
authority of DHSS 
without violating 
HIPAA because it is 
a permissible health 
oversight activity. 

e DHSS is a CE to the 
extent it is a health 
care provider but it 
is a hybrid entity 
because it also has 
non-covered 
functions. 

e Because the state 
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flict? | or HIPAA? | Conclusion Electronic HIE 
it is required by law and is law limitations on 
limited to the further disclosure by 
requirements of such law. DHSS relate to its 


function as a public 
health authority and 


Covered Entity not as a covered 

§160.103 health care provider, 

e A covered entity includes HIPAA does not 
health care providers that regulate such 
transmit health disclosure. 
information in electronic e Thus, further 
form in connection with a disclosure by DHSS 
transaction covered by is governed by state 
HIPAA. law. 

Hybrid Entity 

§164.504(a) 


e A hybrid entity is a type 
of covered entity that has 
covered and non-covered 
functions. Such entities 
have the obligation to 
designate their health care 
components. 


Health Care Component 

§164.504(b) 

e HIPAA only applies to the 
health care component of 
a hybrid entity. 
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HIPAA Privacy Regulations 


State Law 
or HIPAA? 


Discussion and 
Conclusion 


Implications for 
Electronic HIE 





Patients’ Access to Medical 

Records 

§191.227 

Access 

e Requires a licensed 
health care provider to 
furnish copies of 
patient’s medical records 
to patients or their legal 
representatives upon 
request. 


Limitations on Access 

e Allows denial of access 
based on therapeutic 
privilege (limits access if 
consistent with the 
patient’s condition and 
sound therapeutic 
treatment). 








Access of Individuals to PHI 
§164.524 


Access 

e CEs must allow, with 
certain limitations, an 
individual to inspect and 
obtain a copy of his or her 
PHI contained in a 
designated record set. 


Limitations on Access 

e Individuals have no access 
to psychotherapy notes 
that are maintained 
separately from the rest of 
their medical record. 





Yes 





State 


State 





Access 

e Because both 
Missouri law and 
HIPAA allow 
individuals to have 
access to their PHI, 
CEs may follow 
state law regarding 
such access, except 
as limited below. 


Limitations on Access 
e CEs must disclose 


psychotherapy notes 


that are part of the 
patient’s medical 
record pursuant to 
Missouri law, even 
though it is 
prohibited under 
HIPAA because 
Missouri law 
provides greater 
rights of access by 
patients and is 
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therefore more 
stringent. 

e CEs may deny access in Yes HIPAA e CEs may not limit a 
certain situations. The patient’s access to 
following disclosures are his or her medical 
“reviewable” under records for 
HIPAA by a licensed therapeutic reasons 
health care professional as permitted under 
(designated by the CE) Missouri law 
who did not participate in because HIPAA 
the original decision to provides greater 
deny access. access by the patient 

and is thus more 
1. Disclosures that are stringent in that 
reasonably likely to HIPAA requires 
endanger the some danger to the 
individual or another individual or others 
as opposed to 
2. Disclosures that are general 
reasonably likely to considerations of 
cause substantial harm sound therapeutic 
to a person referenced treatment. 
in the PHI or 
3. Disclosures upon the 
request of a personal 
representative where 
disclosure is likely to 
cause substantial harm 
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to the individual or 
another. 
Time for Access Time for access Yes HIPAA Time for access e Time frame for 
e Copies must be furnished | e Requires CEs to act upon e To the extent a providing copies of 
within a reasonable time an individual’s request for “reasonable time” records will 
from the receipt of the access within 30 to 90 under Missouri law presumably be easier 
request and payment. days, depending on the exceeds the specific to meet with 
situation. time frames in electronic records. 
HIPAA, it is 
preempted by the 
more stringent 
HIPAA standard. 
Fees Fees Yes State Fees e Cost of providing 
e Allows a health care e If the individual requests a | and and e Copying Fees: With patient electronic 
provider to charge a copy of his or her own No HIPAA respect to fees copy of record is not 
“handling fee” of $17.05 records, HIPAA allows (depends on charged for making provided for by state 


and a per-page copying 
fee of $.40 plus a 
reasonable fee for 
duplications not able to 
be copied on a standard 
copy machine. The 
standard fee is increased 
February | of each year 
in accordance with the 
CPI and is published by 
DHSS on its Web site. 





CEs to charge a 
“reasonable cost-based 
fee,” including the cost of 
copying (paper, labor, etc) 
and postage. Such a fee 
may be charged for the 
preparation of a summary 
of the PHI if the 
individual requests it. 

e Handling or retrieval fees 
are prohibited with respect 
to requests by the 








the situation) 





copies at an 
individual’s request, 
HIPAA requires 
reasonable, cost- 
based fees. Though 
Missouri has 
determined by 
statute that a 
reasonable fee with 
respect to ordinary 
copies is $.37 per 
page, it might not be 





law so until 
statutorily defined, 
the fee must be a 
reasonable, cost- 
based fee per HIPAA. 
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HIPAA Privacy Regulations 


Con- 
flict? 


State Law 
or HIPAA? 


Discussion and 
Conclusion 


Implications for 
Electronic HIE 











individual. 











considered a “cost- 
based” fee under 
HIPAA because it is 
based on a statutory 
amount and not the 
actual cost of the 
copies. The 
Missouri statutory 
fees appear to be a 
maximum fee 
permitted under state 
law. However, to 
the extent the actual 
cost of the copies is 
less than the state 
statutory amount, 
HIPAA may 
preempt Missouri’s 
statutory fee and 
require CEs to 
charge less than 
what is permitted 
under Missouri law. 


e Handling Fee: CEs 
may not charge a 
handling or retrieval 
fee in connection 
with an individual’s 
request for copies of 





e Prohibition on 


charging a handling 
fee would presumably 
apply also to 
electronic records. 
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his or her own 
records as permitted 
under Missouri law 
because it would 
reduce the 
individual’s access 
to their PHI and is 
thus less stringent 
than HIPAA, which 
does not permit such 
a fee to be charged. 
Requests by the 
individual will likely 
be construed to 
include the 
individual’s 
“personal 
representative” as 
defined under 
HIPAA or their 
“legally authorized 
representative” as 
defined under state 
law. (See preamble 
for further 
discussion of this 
issue). To the extent 
the request is not 
from the individual 
or such a 
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representative, CEs 
may charge the 
handling fee under 
state law. 
Reporting of Infant PKU Preemption Exception No State e CEs may disclose 
Testing §160.203(c) PHI as part of the 
§191.331 e Generally, HIPAA required reporting 
e Mandatory testing and preempts contrary state under state law 
reporting of infants laws without violating 
diagnosed with e@ One exception to that rule HIPAA because 
phenylketonuria (PKU) is when the state law such reports are 
and such other metabolic provides for the reporting exempted from 
and genetic diseases as of disease or injury, child preemption and their 
prescribed by DHSS. abuse, birth or death, or disclosure is 
for the conduct of public required by state law 
health surveillance, and is a permissible 
investigation or public health 
intervention. activity. 
As Required by Law 
§164.512(a) 
e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
is) 
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Public Health Activities 
§164.512(b)(1) (i) 
e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 
e 
Reporting of Exposure to Individually Identifiable No State e The information 
Infectious Disease Health Information permitted to be 
§ 191.631 §160.103 disclosed in the 
e@ When a care provider e Individually identifiable Missouri statute is 
(defined as a person who health information PHI because it 
is employed as an includes health includes a patient 
emergency medical care information relating to number and thus is 
provider, firefighter, or past present or future not de-identified. 
police officer) “sustains physical or mental health e CEs may report the 
an exposure” while or condition of an existence of an 
rendering emergency individual. infectious disease to 
treatment to a patient, the care providers as 
patient is deemed to have | De-identification of PHI required under 
consented to being tested | §164.514 Missouri law 
for contagious or e Lists all elements of PHI without violating 
infectious diseases and to that must be eliminated in HIPAA because 
the notification of the order to de-identify the such reports are 
care provider regarding PHI. exempted from 
the results of such tests. preemption and their 
e Patients must only be Preemption Exception disclosure is a 
16 
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identified by a number 
unless they consent to 
inclusion of their name. 


§160.203(c) 

e Generally, HIPAA 
preempts contrary state 
laws. 

e@ One exception to that rule 
is when the state law 
provides for the reporting 
of disease or injury, child 
abuse, birth or death, or 
for the conduct of public 
health surveillance, 
investigation or 
intervention. 


Public Health Activities 

§164.512(b)(1)(iv) 

e CEs may report PHI toa 
person who may have 
been exposed to a 
communicable disease or 
may be at risk of 
contracting or spreading 
the disease if the CE is 
authorized by law to 
notify such person. 


permissible public 
health activity. 








Blood-borne pathogens 
§191.640 


e Identifies items required 


to be contained in a 





TPO 

§164.506 

e CEs may use and disclose 
PHI for treatment, 





Yes 





HIPAA 





e Because the 
disclosure of PHI by 
CEs that are direct 
treatment providers 
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sharps injury log. payment and health care for TPO under 
operations. HIPAA requires 
compliance with the 
Notice of Privacy Practices requirements for the 
§164.520(c)(2) HIPAA NPP 
e Direct treatment providers acknowledgment, 
must provide the NPP to HIPAA is more 
their patients and attempt stringent than state 
to obtain a written law. 
acknowledgment of e Thus, CEs that are 
receipt of the NPP. direct treatment 
providers may 
disclose PHI for the 
maintenance of a 
sharps injury log 
only if they comply 
with the 
requirements for the 
HIPAA NPP 
acknowledgment. 
Allows any person to Health Oversight Activities No State e CEs may disclose 
report to DHSS a §164.512(d) PHI to DHSS as part 
violation of this section. | @ CEs may disclose PHI to of a report of a 
public health oversight violation of law 
agencies for oversight without violating 
activities authorized by HIPAA because 
law, including audits, such disclosure is a 
investigations, permissible health 
inspections, licensure etc. oversight activity. 
18 
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Reporting of HIV to DHSS _ | Preemption Exception No State e CEs may report HIV 
§191.653 §160.203(c) cases to DHSS and 
19 CSR 20-20.090 e Generally, HIPAA notify the employer 
preempts contrary state of the exposure of a 
e@ §191.653 All persons laws. first responder as 
authorized to perform e@ One exception to that rule required under state 
HIV tests must report to is when the state law law without 
DHSS the identity of any provides for the reporting violating HIPAA 
individual confirmed to of disease or injury, child because such reports 
be infected with HIV. abuse, birth or death, or are exempted from 
for the conduct of public preemption and their 
e 19 CSR 20-20.090 health surveillance, disclosure is 
Requires a provider to investigation or required under state 
notify an employer of intervention. law and is a 
any first responder who permissible public 
may have been exposed | As Required by Law health activity. 
to HIV or any other §164.512(a) 
reportable communicable | e CEs may use or disclose 
disease. PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
Public Health Activities 
§164.512(b)(1) (i) 
e CEs may disclose PHI to a 
public health authority 
19 
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authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 

HIV and AIDS 

§191.656 

Confidentiality and 

Exceptions 

e@ Makes information Uses and Disclosures: Yes State e Absent the 

regarding a person’s General Rules applicability of the 

HIV/AIDS status §164.502 listed exceptions, the 

confidential and prohibits | e CEs may not use or general state 

any person from disclose PHI except as standard of 

disclosing such permitted under HIPAA. confidentiality of 

information except for HIV and AIDS 

disclosures to: information might 
be more stringent 
than certain 
provisions in 
HIPAA that would 
otherwise permit 
disclosure. 

1. Public employees Public Health Activities No State e CEs may disclose 
who need to know to _| §164.512(b)(1)(i) PHI pertaining to an 
perform their public | @ CEs may disclose PHI to a individual’s 
duties public health authority HIV/AIDS status 
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authorized to receive such pursuant to Missouri 
information for the law without 
purpose of preventing or violating HIPAA 
controlling disease, injury because it is a 
or disability. permissible public 
health activity. 

2. Peace officers, Public Health Activities Yes HIPAA e Itis likely that 
attorney general and_ | §164.512(b)(1)() Missouri law would 
his or her assistants e CEs may disclose PHI to a be preempted 
and prosecutors. public health authority because it would 

authorized to receive such permit disclosure of 
information for the PHI that is otherwise 
purpose of preventing or prohibited under 
controlling disease, injury HIPAA without an 
or disability. authorization. 
However, one could 
argue against 
preemption by 
interpreting HIPAA 
in a way that a law 
enforcement official 
may be considered a 
public health 
authority in this 
situation for this 
limited purpose. 

3. Non-public Public Health Activities No State e CEs may disclose to 

employees who §164.512(b)(1)(iv) non-public 
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regularly care for a e CEs may disclose PHI to a employees PHI 
person in the custody person who may be at risk pertaining to an 
of state (e.g. foster of contracting a disease or individual’s 
parents). condition if the CE or a HIV/AIDS status 
public health authority is pursuant to Missouri 
authorized by law to law without 
notify such person. violating HIPAA 
because it is a 
permissible public 
health activity. 
Immunity from Liability for 
Breach of Confidentiality 
e Unless they act in bad 
faith or with conscious 
disregard, individuals are 
not liable for violating 
any right to 
confidentiality if they 
disclose information 
about a person’s 
HIV/AIDS status to: 
1. DHSS Public Health Activities No State e CEs may disclose 
§164.512(b)(1) (i) PHI to DHSS as 
e CEs may disclose PHI to a permitted under 
public health authority Missouri law 
authorized to receive such without violating 
22 
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information for the HIPAA because 
purpose of preventing or such disclosure is 
controlling disease, injury permissible as a 
or disability. public health 
activity. 

2. Health care personnel | Public Health Activities No State e CEs may disclose 
providing direct §164.512(b)(1)(iv) the HIV/AIDS status 
patient care who have | e CEs may disclose PHI to a of a patient pursuant 
a reasonable need to person who may be at risk to Missouri law 
know. of contracting a disease or without violating 

condition if the CE or a HIPAA because it is 
public health authority is a permissible public 
authorized by law to health activity. 
notify such person. 

3. Pursuant to the Authorizations Yes HIPAA e Because HIPAA is 
written authorization | §164.508 more stringent than 
of the subject of the e Except as otherwise state law with 
test. permitted under HIPAA, a respect to the 

CE may not use or contents of an 

disclose PHI without an authorization, it 

authorization. preempts state law. 

e The content of such Thus, CEs may only 

authorization must comply disclose HIV/AIDS 

with HIPAA standards. information pursuant 
to an authorization 
under state law if the 
authorization is 
HIPAA compliant or 
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a HIPAA exception 
applies. 
4. Spouse of subject of | Public Health Activities No State e CEs may disclose an 
the test. §164.512(b)(1)(iv) individual’s 
e CEs may report PHI toa HIV/AIDS status to 
person who may have the individual’s 
been exposed to a spouse pursuant to 
communicable disease or Missouri law 
may be at risk of without violating 
contracting or spreading HIPAA because it is 
the disease if the CE is a permissible public 
authorized by law to health activity. 
notify such person. 
5. The subject of the Right of Access No State e CEs may disclose to 
test. §164.524 the subject of an 
e An individual has a right HIV/AIDS test the 
of access to inspect and results of that test 
obtain a copy of his or her under both Missouri 
own PHI. law and HIPAA. 
But keep in mind the 
preemption issues in 
terms of the right of 
access to medical 
records under 
Missouri law (as 
discussed with 
respect to §191.227, 
RSMo). 
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6. Parent or legal Personal Representatives: Yes State e CEs may disclose to 
guardian of a minor Unemancipated Minors and and the parent or legal 
who is the subject of | §164.502(g)(3)(i) No HIPAA guardian of an 
the test. e CEs may disclose PHI to (depends on unemancipated 
an individual’s parent, the situation) minor information 
guardian or person acting about the HIV/AIDS 
in loco parentis who has status of such minor 
authority to act on behalf without violating 
of an unemancipated HIPAA because 
minor in making decisions such disclosure is 
related to health care. allowed under 
HIPAA where, as 
Personal Representatives: here, it is permitted 
Adults and Emancipated under state law. 
Minors e CEs may disclose to 
§164.5502(g)(2) a parent of an 
e CEs may disclose PHI to a emancipated minor 
person who has authority information about 
to act on behalf of an adult the HIV/AIDS status 
or emancipated minor in of such minor 
making decisions related without violating 
to health care. HIPAA only if the 
parent has authority 
to act on behalf of 
the minor in making 
decisions related to 
health care. 
7. The victims of certain | Public Health Activities No State e CEs may disclose 
sex crimes. §164.512(b)(1)(iv) information about 
25 
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e CEs may report PHI toa the HIV/AIDS status 
person who may have of an individual to 
been exposed to a the victim of certain 
communicable disease or sex crimes pursuant 
may be at risk of to Missouri law 
contracting or spreading without violating 
the disease if the CE is HIPAA because 
authorized by law to such victims may 
notify such person. have been exposed 
to a communicable 
disease. 

8. Employees of certain | Health Oversight Activities No State e CEs may disclose 
state licensing boards | §164.512(d) information about an 
in relation to certain | @ CEs may disclose PHI to individual’s 
disciplinary actions. health oversight agencies HIV/AIDS status to 

for oversight activities various licensing 
authorized by law, boards pursuant to 
including audits, state law without 
investigations, violating HIPAA 
inspections, licensure etc. because it is a 
permissible health 
oversight activity. 
Civil Immunity for Health 
Care Providers 
e Health care providers 
will not have civil 
liability for 
26 
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1. Making a good faith | Public Health Activities No State e CEs may disclose 
report to DHSS about | §164.512(b)(1)(i) information about an 
a person reasonably e CEs may disclose PHI to a individual’s 
believed to be public health authority HIV/AIDS status to 
infected with HIV. authorized to receive such DHSS pursuant to 

information for the state law without 

purpose of preventing or violating HIPAA 

controlling disease, injury because it is a 

or disability. permissible public 
health activity. 

2. Cooperating in good | Public Health Activities No State e CEs may disclose 
faith with DHSS in §164.512(b)(1)(i) information about an 
an investigation to e CEs may disclose PHI to a individual’s 
determine whether a public health authority HIV/AIDS status to 
court order will be authorized to receive such DHSS pursuant to 
sought to direct a information for the state law without 
person to undergo purpose of preventing or violating HIPAA 
HIV testing. controlling disease, injury because it is a 

or disability. permissible health 
oversight activity. 

3. Participating in good | Judicial and Administrative | Yes HIPAA e CEs may not 
faith in any judicial Proceedings disclose the 
proceeding resulting | §164.512(e)(1)(i) HIV/AIDS status of 
in such a report or e CE may disclose PHI in an individual in a 
investigation. the course of any judicial judicial proceeding 

or administrative pursuant to this 
proceeding in response to Missouri statute 
an order by the court or unless HIPAA 
pa 
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administrative tribunal or, would also permit 
if certain requirements are such disclosure. To 
met, in response to a the extent HIPAA 
subpoena, discovery only permits 
request or other lawful disclosure in 
process. response to a court 
or administrative 
order or, if certain 
requirements are 
met, other types of 
requests in a judicial 
proceeding, HIPAA 
is more stringent and 
must be followed. 
Confidentiality of Individually Identifiable No State e Communications 
Communications Health Information between the subject 
§160.103 of the test and the 
e All communications e Individually identifiable person performing 
between the subject of health information the test are protected 
the HIV testing and includes health under both state law 
person performing the information relating to and HIPAA. 
test shall be privileged. past present or future 
physical or mental health 
or condition of an 
individual. 
Research Projects Uses and Disclosures: No State e CEs must comply 
General Rules with state law and 
e The identity of an §164.502 HIPAA by not 
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individual participating e CEs may not use or reporting PHI in 
in a research project disclose PHI except as these types of 
approved by an IRB shall permitted under HIPAA. research projects 
not be reported to DHSS because neither law 
by the physician permits or requires 
conducting the research. such disclosure. 
HIV Information: Court Judicial and Administrative No State e CEs may disclose 
Order for Release Proceedings confidential HIV- 
§191.657 §164.512(e)(1)(i) related information 
e Lists circumstances e CEs may disclose PHI in pursuant to a court 
under which a court order the course of any judicial order obtained under 
may be obtained for the or administrative Missouri law 
disclosure of confidential proceeding in response to without violating 
HIV-related information. an order by the court or HIPAA because 
administrative tribunal or, disclosure pursuant 
if certain circumstances to a court order is 
are met, in response to a permitted under 
subpoena, discovery HIPAA. 
request or other lawful 
process. 
Law Enforcement Purposes 
§164.512(f) 
e CEs may disclose PHI in 
compliance with a court 
order, court-ordered 
watrant, subpoena or 
summons issued by a 
judicial officer, grand jury 
29 


1664508.6 


*This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal 


and enforceable in accordance with the law per RSMo. §432.230. 



































Missouri Statute HIPAA Privacy Regulations | Con- | State Law | Discussion and Implications for 
flict? | or HIPAA? | Conclusion Electronic HIE 
subpoena or, if certain 
requirements are met, an 
administrative request. 
HIV Information: Covered Entity No State e DHSS isa CE to the 
Disclosure to Exposed §160.103 extent it is a health 
Workers e A covered entity includes care provider but it 
§191.658 health care providers that is a hybrid entity 
e Allows disclosure by transmit health because it also has 
DHSS to a health care information in electronic non-covered 
provider who is treating a form in connection with a functions. 
health care worker or law transaction covered by e DHSS may disclose 
enforcement officer HIPAA. PHI to health care 
following a “medically workers and law 
significant exposure” of | Hybrid Entity enforcement officers 
the source individual’s §164.504(a) under this provision 
HIV status if itis on file |e A hybrid entity is a type of state law without 
with DHSS. of covered entity that has violating HIPAA 
e The health care provider covered and non-covered because such 
can then disclose to the functions. Such entities disclosure is not 
health care worker or law have the obligation to governed by HIPAA 
enforcement officer designate their health care in that the disclosure 
under certain components. is part of a non- 
circumstances. covered public 
e Further disclosure by any | Health Care Component health function of 
of the above individuals | §164.504(b) DHSS. 
is prohibited. e HIPAA only applies to the e Health care 
health care component of providers may 
a hybrid entity. disclose PHI to the 
health care worker 
30 
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Public Health Activities or law enforcement 
§164.512(b)(1)(iv) officer under this 
e CEs may report PHI toa provision of state 
person who may have law without 
been exposed to a violating HIPAA 
communicable disease or because it is a 
may be at risk of permissible public 
contracting or spreading health activity. 
the disease if the CE is e To the extent 
authorized by law to Missouri law 
notify such person. prohibits further 
disclosure by the 
Uses and Disclosures: individuals listed in 
General Rules the statute, HIPAA 
§164.502 also prohibits such 
e CEs may not use or disclosure unless the 
disclose PHI except as individual disclosing 
permitted under HIPAA. is not a CE. 

HIV: Required Testing and | Preemption Exception No State e IfaCE performs the 

Disclosure of Results §160.203(c) required tests under 

§191.663 e Generally, HIPAA $191.663, RSMo, 

e Lists certain preempts contrary state the CE may report 
circumstances when HIV laws. pursuant to that 
testing is required e@ One exception to that rule statute without 
without an individual’s is when the state law violating HIPAA 
consent. provides for the reporting because such reports 

e Lists certain of disease or injury, child are exempted from 
circumstances when abuse, birth or death, or preemption and their 
results may or must be for the conduct of public disclosure is a 
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reported to the victims of 
certain sex crimes and 
the administrator of a 
jail. 


health surveillance, 
investigation or 
intervention. 


As Required by Law 
§164.512(a) 

e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 


Public Health Activities 

§164.512(b)(1)(iv) 

e CEs may report PHI toa 
person who may have 
been exposed to a 
communicable disease or 
may be at risk of 
contracting or spreading 
the disease if the CE is 
authorized by law to 
notify such person. 


permissible public 
health activity. 








HIV Testing by Dept. of 
Insurance 
§191.671 





Public Health Activities 
§164.512(b)(1) (i) 
e CEs may disclose PHI to a 








State 





e CEs may disclose 
PHI to DHSS for 
public health 
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e Results of HIV test for public health authority activities as 
applicant for insurance authorized to receive such preventing or 
coverage shall be information for the controlling disease. 
disclosed to a physician purpose of preventing or 
designated by the controlling disease, injury 
subject of test; If no or disability. 
physician is designated, 
the identity of those As Required by Law 
individuals residing in §164.512(a) 
MO having a confirmed e CEs may use or disclose 
positive HIV test will PHI without giving the 
be disclosed to DHSS. individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
HIV Testing by Court Serious Threat to Health or No State e CEs may disclose 
Order Safety PHI to the court in 
§191.674 §164.512(G)(HDWM order to obtain an 


e After DHSS has made a 
reasonable attempt to 
obtain informed consent, 
DHSS may request a 
court order that an 
individual undergo HIV 
testing when there are 
reasonable grounds to 
believe the individual is 





e CEs may, consistent with 
applicable law and ethical 
standards, disclose PHI if 
they have a good faith 
belief that such disclosure 
is necessary to prevent or 
lessen a serious and 
imminent threat to the 
health or safety of a 











order for HIV testing 
under state law 
without violating 
HIPAA because 
such disclosure is 
permitted in order to 
avert a serious and 
imminent threat to 
health or safety. 
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infected with HIV and person or the public AND e IfaCE performs the 
there is clear and the disclosure is to a test, it may disclose 
convincing evidence of a person reasonably able to to the relevant 
serious and present prevent or lessen such parties as ordered by 
health threat to others. threat. the court. 
e Records of any suit filed 
pursuant to this section Judicial and Administrative 
are closed to the public. | Proceedings 
§164.512(e)(1)(i) 
e CEmay disclose PHI in 
the course of any judicial 
or administrative 
proceeding in response to 
an order by the court or 
administrative tribunal or, 
if certain requirements are 
met, in response to a 
subpoena, discovery 
request or other lawful 
process. 
Prohibited Acts if Judicial and Administrative | Yes HIPAA e CEs may not 
Knowingly Infected with Proceedings disclose the 
HIV §164.512(e)(1)(i) HIV/AIDS status of 
§191.677 e CE may disclose PHI in an individual in a 
e DHSS may file a complaint the course of any judicial judicial proceeding 
with the prosecuting or administrative unless HIPAA 
attorney and shall assist the proceeding in response to would also permit 
prosecution in preparing a an order by the court or disclosure. To the 
case against one infected administrative tribunal or, extent HIPAA only 
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with HIV who knowingly if certain requirements are permits disclosure in 
performs prohibited acts met, in response to a response to a court 
listed in this statute. This subpoena, discovery or administrative 
includes turning over request or other lawful order or, if certain 
records concerning the process. requirements are 
person’s HIV infected met, other types of 
status. Law Enforcement Purposes requests in a judicial 
§164.512(f) proceeding, HIPAA 
e CEs may disclose PHI in is more stringent and 
compliance with a court must be followed. 
order, court-ordered 
warrant, subpoena or 
summons issued by a 
judicial officer, grand jury 
subpoena or, if certain 
requirements are met, an 
administrative request. 
Notice to Schools of HIV Serious Threat to Health or No State e CEs may disclose the 
Status Safety HIV/AIDS status of a 
§191.689 §164.512(G)(HDW@ student to those at the 
e Once school e CEs may, consistent with school who have a 
superintendents have applicable law and ethical reasonable need to 
notice of a student standards, disclose PHI if know in order to 
infected with HIV, they they have a good faith provide proper 
may disclose the identity belief that such disclosure healthcare. People 
of an infected child to is necessary to prevent or that need to provide 
those at school who lessen a serious and proper healthcare are 
determine fitness of imminent threat to the reasonably able to 
individuals to attend health or safety of a prevent or lessen the 
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school and those who person or the public AND threat to the health or 
have a reasonable need to the disclosure is to a safety of other 
know in order to provide person reasonably able to students and health 
proper healthcare. prevent or lessen such care providers. 
threat. 

HIV Status or Hepatitis B 

Virus (HBV) Status: 

Practice Restrictions 

§191.700 

e If ahealth care Public Health Activities No State e DHSS may disclose 
professional who §164.512(b)(1)(iv) PHI to health care 
performs invasive e CEs may report PHI toa providers pursuant 
procedures participates in person who may have to this statute 
a voluntary evaluation been exposed to a without violating 
process resulting in communicable disease or HIPAA because it is 
restrictions or limitations may be at risk of a permissible public 
being placed on the contracting or spreading health activity. 
individual’s medical the disease if the CE is 
practice, DHSS may authorized by law to 
disclose it to the health notify such person. 
care facilities where the 
health care professional 
provides patient care. 
A health care facility TPO Yes HIPAA e Because disclosure 
may maintain peer §164.506 for TPO under 
review procedures and e CEs may use and disclose HIPAA requires 
may monitor compliance PHI for treatment, compliance with the 
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with practice restrictions payment and health care requirements for the 

or limitations. operations. HIPAA NPP 
acknowledgment, 
HIPAA is more 
stringent than state 

Notice of Privacy Practices law. 


§164.520(c)(2) e 

e Direct treatment providers 
must provide the NPP to 
their patients and attempt 
to obtain a written 
acknowledgment of 


Thus, CEs may 
disclose PHI for peer 
review purposes 
(health care 
operations) only if 
they comply with the 





























receipt of the NPP. more stringent 
requirements for the 
HIPAA NPP 
acknowledgment. 

e Any violation of practice | Health Oversight Activities No State e CEs may report 
restrictions or limitations | §164.512(d) violations of practice 
may be reported to the e CEs may disclose PHI to restrictions to a state 
appropriate state health oversight agencies licensing board 
licensing board. for oversight activities without violating 

authorized by law, HIPAA because it is 
including audits, a permissible health 
investigations, oversight activity. 
inspections, licensure etc. 

HIV/HBV: Notification of || As Required by Law No State Coroners and Medical 

Funeral Directors, §164.512(a) Examiners 

Coroners and Medical e CEs may use or disclose e CEs may disclose 

37 


1664508.6 


*This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal 


and enforceable in accordance with the law per RSMo. §432.230. 
































Missouri Statute HIPAA Privacy Regulations | Con- | State Law | Discussion and Implications for 
flict? | or HIPAA? | Conclusion Electronic HIE 
Examiners PHI without giving the the HIV or HBV 
§191.703 individual the opportunity status of a deceased 
19 CSR 20-20.090(3) & (4) to agree or object and to the coroner or 
e A licensed health care without an authorization if medical examiner as 
facility that treats a it is required by law and is required under state 
patient having HIV or limited to the law without 
HBV infection or any requirements of such law. violating HIPAA 
other reportable because it is required 
infectious or contagious | Coroners and Medical by law; it could be 
disease shall notify the Examiners for the purposes of 
funeral home, coroner or | §164.512(g) identifying the cause 
medical examiner of such | e CEs may disclose PHI to of death; and such 
disease prior to removal the coroner or medical PHI is being 
of the deceased from the examiner for purposes of disclosed to one who 
health care facility. identifying the deceased may be at risk of 
and the cause of death. contracting a 
e Allows disclosure of PHI communicable 
to funeral directors disease. 
consistent with applicable 
law as necessary to carry Funeral Directors 
out their duties. e CEs may disclose 
the HIV or HBV 
Public Health Activities status of a decedent 
§164.512(b)(1)(iv) to the funeral 
e CEs may report PHI toa director as required 
person who may have by state law without 
been exposed to a violating HIPAA 
communicable disease or because it is required 
may be at risk of by law; is necessary 
contracting or spreading for the funeral 
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the disease if the CE is director to carry out 
authorized by law to his or her duties; and 
notify such person. such PHI is being 
disclosed to one who 
may be at risk of 
contracting a 
communicable 
disease. 
Reporting of Children Preemption Exception No State CEs may disclose 
Exposed to Substance §160.203 PHI as part of 
Abuse e Generally, HIPAA referring or 
§191.737 preempts contrary state reporting a family to 
e Providers may refer laws. DHSS under state 
families to DHSS when e@ One exception to that rule law without 
children may have been is when the state law violating HIPAA 
exposed to controlled provides for the reporting because such reports 
substances. of disease or injury, child are exempted from 
abuse, birth or death, or preemption and their 
for the conduct of public disclosure is a 
health surveillance, permissible public 
investigation or health activity. 
intervention. 
Public Health Activities 
§164.512(b)(1) (i) 
e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
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purpose of preventing or 
controlling disease, injury 
or disability. 
Reporting of High-Risk Preemption Exception Yes State e CEs may report 
Pregnancies §160.203 high-risk 
§191.743 e Generally, HIPAA pregnancies to 
e Physicians and health preempts contrary state DHSS under state 
care providers shall laws. law without 
report high-risk One exception to that rule violating HIPAA 
pregnancies to DHSS if is when the state law because such reports 
they obtain the patient’s provides for the reporting are exempted from 
consent. of disease or injury, child preemption and their 
abuse, birth or death, or disclosure is 
for the conduct of public required by law and 
health surveillance, is a permissible 
investigation or public health 
intervention. activity. 
However, because 
As Required by Law state law requires 
§164.512(a) consent of the 
e CEs may use or disclose patient before such 
PHI without giving the reporting, it is more 
individual the opportunity stringent than 
to agree or object and HIPAA. Thus, 
without an authorization if consent under state 
it is required by law and is law must be 
limited to the obtained but it need 
requirements of such law. not meet the 
requirements for a 
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Public Health Activities HIPAA 
§164.512(b)(1) (i) authorization. 
e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 
Testing of Women and De-identification of PHI No State To the extent 
Infants at Time of Delivery | §164.514 identifying or 
§191.745 e Lists all elements of PHI demographic 
e Upon request of DHSS, a that must be eliminated in information is 
physician providing order to de-identify the provided to DHSS, 
obstetrical or PHI. the samples and 
gynecological care shall information would 
obtain “test samples” to | As Required by Law constitute PHI and 
send to DHSS for §164.512(a) would not be 
analysis and study. e CEs may use or disclose considered de- 
e Samples are to be PHI without giving the identified. 
provided without individual the opportunity CEs may disclose 
identifying information to agree or object and such PHI to DHSS 
unless DHSS requests without an authorization if as required by 
certain demographic it is required by law and is Missouri law 
information necessary to limited to the without violating 
interpret the results. requirements of such law. HIPAA because it is 
required by state law 
Public Health Activities and is a permissible 
§164.512(b)(1) (i) public health 
e CEs may disclose PHI to a activity. 
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public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 
Fraud and Abuse As Required by Law No State e CEs may disclose 
Investigations by Attorney | §164.512(a) PHI to the Attorney 
General e CEs may use or disclose General as part of a 
§191.910 PHI without giving the fraud and abuse 
e The Attorney General individual the opportunity investigation under 
has the authority to to agree or object and state law without 
investigate health care without an authorization if violating HIPAA 
payment fraud and abuse. it is required by law and is because such 
limited to the disclosure is 
requirements of such law. required by law and 
is pursuant to a 
Health Oversight Activities permissible health 
§164.512(d) oversight activity. 
e CEs may disclose PHI to 
health oversight agencies 
for oversight activities 
authorized by law, 
including audits, 
investigations, 
inspections, licensure etc. 
Reporting of Newborn Preemption Exception No State e CEs may report to 
Hearing Tests §160.203(c) DHSS the results of 
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§191.925 e Generally, HIPAA newborn hearing 
e Every newborn shall be preempts contrary state tests or the refusal of 
screened for hearing loss laws. such tests pursuant 
and the results reported e@ One exception to that rule to state law without 
to parents or legal is when the state law violating HIPAA 
guardian and DHSS. provides for the reporting because such reports 
e Parents or guardian may of disease or injury, child are exempted from 
refuse testing on abuse, birth or death, or preemption and their 
religious grounds but for the conduct of public disclosure is 
such refusal must be health surveillance, required by state law 
documented and reported investigation or and is a permissible 
to DHSS. intervention. public health 
activity. 
As Required by Law 
§164.512(a) 
e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
Public Health Activities 
§164.512(b)(1) (i) 
e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
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purpose of preventing or 
controlling disease, injury 
or disability. 
po Department of Health and Senior Services 
Disease Prevention: Preemption Exception No State e CEs may report 
Authority of DHSS §160.203(c) communicable 
§192.020 e Generally, HIPAA diseases as required 
19 CSR 20-20.020 preempts contrary state under state law 
e DHSS is granted laws. without violating 
authority to promulgate e@ One exception to that rule HIPAA because 
regulations for the is when the state law such reports are 
purpose of preventing the provides for the reporting exempted from 
spread of contagious or of disease or injury, child preemption and their 
communicable diseases. abuse, birth or death, or disclosure is 
e This is implemented by for the conduct of public required by state law 
19 CSR 20-20.020, health surveillance, and is a permissible 
which requires the investigation or public health 
reporting of diseases intervention. activity. 
listed therein. 
As Required by Law 
§164.512(a) 
e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
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Public Health Activities 
§164.512(b)(1) (i) 
e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 
Vital Statistics Preemption Exception No State e@ CEs may report vital 
§192.060 §160.203(c) statistics to DHSS 
(See Chapter 193 for e Generally, HIPAA under state law 
specific information about preempts contrary state without violating 
what should be reported) laws. HIPAA because 
e Gives DHSS authority to | e One exception to that rule such reports are 
receive information about is when the state law exempted from 
vital statistics. provides for the reporting preemption and their 
of disease or injury, child disclosure is 
abuse, birth or death, or required under state 
for the conduct of public law and is a 
health surveillance, permissible public 
investigation or health activity. 
intervention. 
As Required by Law 
§164.512(a) 
e CEs may use or disclose 
PHI without giving the 
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individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
Public Health Activities 
§164.512(b)(1) (i) 
e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 
Epidemiological Studies by | Preemption Exception No State e CEs may report 
DHSS and Requirement of | §160.203(c) medical record 
Confidentiality e Generally, HIPAA information to 
§192.067 preempts contrary state DHSS for 
e Grants authority to laws. epidemiological 
DHSS to receive medical | e One exception to that rule studies under state 
record information for is when the state law law without 
epidemiological studies. provides for the reporting violating HIPAA 
e Requires DHSS to of disease or injury, child because such reports 
maintain confidentiality abuse, birth or death, or are exempted from 
of information it for the conduct of public preemption and their 
receives. health surveillance, disclosure is 
e DHSS may release investigation or required by law and 
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information in a intervention. is a permissible 
statistical aggregate form public health 
that precludes Public Health Activities activity. 
identification of the §164.512(b) e DHSS is a CE to the 
patient, physician or e CEs may disclose PHI to a extent it is a health 
medical facility. public health authority care provider but it 
DHSS may also release authorized to receive such is a hybrid entity 
information in medical information for the because it also has 
record form to other purpose of preventing or non-covered 
public health authorities controlling disease, injury functions. 
or co-investigators of a or disability. e Because the state 
health study. law limitations on 
Covered Entity further disclosure by 
§160.103 DHSS related to its 
e A covered entity includes function as a public 
health care providers that health authority and 
transmit health not as a covered 
information in electronic health care provider, 
form in connection with a HIPAA does not 
transaction covered by regulate such 
HIPAA. disclosure. 
e Thus, further 
Hybrid Entity disclosure by DHSS 
§164.504(a) is governed by state 
e A hybrid entity is a type law. 
of covered entity that has 
covered and non-covered 
functions. Such entities 
have the obligation to 
designate their health care 
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components. 
Health Care Component 
§164.504(b) 
e HIPAA only applies to the 
health care component of 
a hybrid entity. 
Reporting by HMOs to Preemption Exception No State e HMOs as CEs may 
DHSS §160.203(c) report data to DHSS 
§192.068 e Generally, HIPAA pursuant to state law 
e Entities licensed pursuant preempts contrary state without violating 
to §§354.400-354.636, laws. HIPAA because 
RSMo are required to e@ One exception to that rule such reports are 
submit certain data to is when the state law exempted from 
DHSS regarding quality requires a health plan to preemption and their 
of care, access to care, report or allow access to disclosure is 
member satisfaction and information for the required by law and 
member health status. purpose of management is a permissible 
e DHSS is limited in its and financial audits, public health 
release of such program monitoring and activity. 
information to the public. evaluation, or the e DHSS is a CE to the 
licensure or certification extent it is a health 
of facilities or individuals. care provider but it 
is a hybrid entity 
As Required by Law because it also has 
§164.512(a) non-covered 
e CEs may use or disclose functions. 
PHI without giving the e Because the state 
individual the opportunity law limitations on 
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to agree or object and further disclosure by 
without an authorization if DHSS relate to its 
it is required by law and is function as a public 
limited to the health authority and 
requirements of such law. not as a covered 
health care provider, 
Public Health Activities HIPAA does not 
§164.512(b)(1)(i) regulate such 
e CEs may disclose PHI to a disclosure. 
public health authority e Thus, further 
authorized to receive such disclosure by DHSS 
information for the is governed by state 
purpose of preventing or law. 
controlling disease, injury 
or disability. 
Covered Entity 
§160.103 
e A covered entity includes 
health care providers that 
transmit health 
information in electronic 
form in connection with a 
transaction covered by 
HIPAA. 
Hybrid Entity 
§164.504(a) 
e A hybrid entity is a type 
of covered entity that has 
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covered and non-covered 
functions. Such entities 
have the obligation to 
designate their health care 
components. 
Health Care Component 
§164.504(b) 
e HIPAA only applies to the 
health care component of 
a hybrid entity. 
Reporting by Medical Preemption Exception No State e CEs may report 
Treatment Facilities and §160.203(c) infectious diseases 
Nursing Homes e Generally, HIPAA under state law 
§192.138 preempts contrary state without further 
e Institutions licensed laws. limitation and 
under Chapter 197 and e@ One exception to that rule without violating 
198, RSMo are required is when the state law HIPAA because 
to report infectious provides for the reporting such reports are 
diseases pursuant to state of disease or injury, child exempted from 
law only to the extent it abuse, birth or death, or preemption and their 
is consistent with federal for the conduct of public disclosure is 
law. health surveillance, required by law and 
investigation or is a permissible 
intervention. public health 
activity. 
As Required by Law 
§164.512(a) 
e CEs may use or disclose 
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PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
Public Health Activities 
§164.512(b)(1) (i) 
e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 
Reporting of Cancer Cases | Preemption Exception No State e CEs may report data | e Per 19 CSR 70- 
§§$192.650; 192.653; §160.203(c) regarding malignant 21.010, Hospitals 
192.655 e Generally, HIPAA neoplasms to DHSS that electronically 
19 CSR 70-21.010 preempts contrary state pursuant to state law report such 
e Requires physicians and laws. without violating information must 
other health care e@ One exception to that rule HIPAA because use the North 
providers to report to is when the state law such reports are American 
DHSS certain provides for the reporting exempted from Association of 
information regarding of disease or injury, child preemption and their Central Cancer 
malignant neoplasms. abuse, birth or death, or disclosure is Registries 
e Gives DHSS authority to for the conduct of public required by law and (NAACCR) layout. 
promulgate regulations health surveillance, is a permissible e The CDC National 
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regarding such reporting. investigation or public health Program of Cancer 
Places limitations on the intervention. activity. Registries (NPCR) 
release of information DHSS is a CE to the provides the 
and data by DHSS for As Required by Law extent it is a health minimum data to be 
exchange for cancer §164.512(a) care provider but it reported in addition 
registries; Patient’s e CEs may use or disclose is a hybrid entity to the number of 
identity must be PHI without giving the because it also has years the patient 
protected. individual the opportunity non-covered used tobacco. 
to agree or object and functions. e NPCR recommends 
without an authorization if Because the state other data be 
it is required by law and is law limitations on reported as toxic 
limited to the further disclosure by exposure. 
requirements of such law. DHSS relate to its 
function as a public 
Public Health Activities health authority and 
§164.512(b)(1)@) not as a covered 
e CEs may disclose PHI to a health care provider, 
public health authority HIPAA does not 
authorized to receive such regulate such 
information for the disclosure. 
purpose of preventing or Thus, further 
controlling disease, injury disclosure by DHSS 
or disability. is governed by state 
law. 
Covered Entity 
§160.103 
e A covered entity includes 
health care providers that 
transmit health 
information in electronic 
ae. 
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form in connection with a 
transaction covered by 
HIPAA. 


Hybrid Entity 

§164.504(a) 

e A hybrid entity is a type 
of covered entity that has 
covered and non-covered 
functions. Such entities 
have the obligation to 
designate their health care 
components. 


Health Care Component 

§164.504(b) 

e HIPAA only applies to the 
health care component of 
a hybrid entity. 








Reporting of Patient 

Abstract and Financial 

Data by Health Care 

Providers 

§192.667 

19 CSR 10-33.010; 

19 CSR 10-33.040; 

19 CSR 10-33.050 

e@ Requires hospitals and 
ambulatory surgical 





Preemption Exception 

§160.203(c) 

e Generally, HIPAA 
preempts contrary state 
laws. 

e@ One exception to that rule 
is when the state law 
provides for the reporting 
of disease or injury, child 
abuse, birth or death, or 








State 





e CEs may report data 


to DHSS as required 
under state law 
without violating 
HIPAA because 
such reports are 
exempted from 
preemption and their 
disclosure is 
required by state law 





e The Missouri 


regulations define 
the following as 
acceptable electronic 
media: (1) IBM- 
3480 compatible 
(1.2”) 18 track tape 
uncompressed or 
3490 compressed; 
(2) IBM formatted 
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centers to annually report for the conduct of public and is a permissible 1.44Mb diskette; or 
patient abstract and health surveillance, public health (3) other magnetic 
financial data to DHSS. investigation or activity. media may be 
Places limitations on the intervention. DHSS is a CE to the accepted with prior 
use and disclosure of the extent it is a health approval of DHSS. 
information by DHSS. As Required by Law care provider but it 
§164.512(a) is a hybrid entity 
e CEs may use or disclose because it also has 
PHI without giving the non-covered 
individual the opportunity functions. 
to agree or object and Because the state 
without an authorization if law limitations on 
it is required by law and is use and disclosure 
limited to the by DHSS relate to 
requirements of such law. its function as a 
public health 
Public Health Activities authority and not as 
§164.512(b)(1)(i) a covered health care 
e CEs may disclose PHI to a provider, HIPAA 
public health authority does not regulate 
authorized to receive such such disclosure. 
information for the Thus, use and 
purpose of preventing or disclosure by DHSS 
controlling disease, injury is governed by state 
or disability. law. 
Covered Entity 
§160.103 
e A covered entity includes 
health care providers that 
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transmit health 
information in electronic 
form in connection with a 
transaction covered by 
HIPAA. 


Hybrid Entity 

§164.504(a) 

e A hybrid entity is a type 
of covered entity that has 
covered and non-covered 
functions. Such entities 
have the obligation to 
designate their health care 
components. 


Health Care Component 

§164.504(b) 

e HIPAA only applies to the 
health care component of 
a hybrid entity. 








Reporting of Head and 

Spinal Cord Injuries 

§192.737 

e Requires physicians and 
hospitals to report 
traumatic head and spinal 
cord injuries. 





Public Health Activities 

§164.512(b)(1) (i) 

e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 





No 





State 





e CEs may report 
traumatic head and 
spinal cord injuries 
under state law 
without violating 
HIPAA because 
such disclosure 1s 
required by law and 
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or disability. is a permissible 
public health 
As Required by Law activity. 
§164.512(a) 
e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
Communicable Disease As Required by Law No State e CEs may disclose 
Exposure: Notification of §164.512(a) information about 
First Responders e CEs may use or disclose communicable 
§§192.800, 192.802, PHI without giving the diseases as required 
192.804, 192.806, 192.808 individual the opportunity by state law without 
19 CSR 30-40.047 to agree or object and violating HIPAA 
without an authorization if because such 
§192.800 it is required by law and is disclosure is 
e Definitions. limited to the required by law and 
requirements of such law. is a permissible 
§192.802 public health 
e “First responders” and Public Health Activities activity. 
“Good Samaritans” may, | §164.512(b)(1)(iv) e The designated 
after an exposure that e CEs may report PHI toa health officer could 
may present a significant person who may have be from DHSS or a 
risk of a communicable been exposed to a local public health 
disease, request that the communicable disease or agency and therefore 
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licensed facility or may be at risk of such officers are part 
designated health officer contracting or spreading of a CE to the extent 
report certain information the disease if the CE is the entities are 
to the first responder or authorized by law to health care providers 
Good Samaritan if they notify such person. but they would only 
determine that such an be hybrid entities 
exposure did occur. Covered Entity because they would 
Testing of the patient for | §160.103 have non-covered 
communicable diseases is | e A covered entity includes functions. 
not authorized or health care providers that e Because the 
required by this statute. transmit health regulatory 
information in electronic limitations on use of 
§§192.804; 192.806 form in connection with a communicable 
e Rules re: form of request transaction covered by disease information 
for information about HIPAA. by DHSS and 
communicable disease similar agencies 
exposure and process for | Hybrid Entity relates to their public 
responding. §164.504(a) health function, 
e A hybrid entity is a type HIPAA does not 
§192.808 of covered entity that has regulate such 
e Cannot require testing of covered and non-covered disclosure. 
patient. functions. Such entities e Thus, further use 
have the obligation to and disclosure by 
19 CSR 30-40.047 designate their health care those agencies is 
e Regulation provides components. governed by state 
details on reporting to law. 
first responders and Health Care Component 
Good Samaritans. §164.504(b) 
e Regulation provides e HIPAA only applies to the 
limitations on the use of health care component of 
ae | 
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communicable disease a hybrid entity. 

information by DHSS 

and local public health 

agencies. 

Pita Statistics 
Birth and Death Preemption Exception No State e CEs may report e State law specifies 
Certificates §160.203(c) births and deaths as that vital records 
§§193.085, 193.087, e Generally, HIPAA required by state law may be maintained 
193.105, 193.125, 193.135, preempts contrary state without violating electronically 
193.145, 193.165, 193.175, laws. HIPAA because (§§193.085 and 
193.225, 193.275, e@ One exception to that rule such reports are 193.225) 
19 CSR 10-10.010 et seq. is when the state law exempted from 
provides for the reporting preemption and their 

§§193.085, 193.087, of disease or injury, child disclosure is 
193.105, 193.125, 193.135 abuse, birth or death, or required by law and 
e Filing of certificate of for the conduct of public is a permissible 

live birth required, health surveillance, public health 

containing certain investigation or activity. 

medical information. intervention. 
e Court order required for 

access in certain As Required by Law 

circumstances. §164.512(a) 

e CEs may use or disclose 

§§193.145, 193.155, PHI without giving the 
193.165, 193.175 individual the opportunity 
e Filing of death certificate to agree or object and 

required, containing without an authorization if 

certain medical it is required by law and is 

information. limited to the 
e Disposition of dead body requirements of such law. 
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and notification of death. 


@ Amendment of vital 
records. 

e Inspection and copies of 
records — disclosure of 
information. 

§193.225, 193.275 

e Records may be 
maintained 
electronically. 

e Information to be 


maintained for at least 5 
years by the individual or 
entity filing the report or 
certification. 





Public Health Activities 
§164.512(b)(1)(i) 


CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 
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Autopsies As Required by Law No State e CEs may disclose 
§194.115 §164.512(a) reports of autopsies 
e Allows certain e CEs may use or disclose to the individuals 
individuals to consent to PHI without giving the listed in this 
an autopsy on a deceased individual the opportunity Missouri statute 
individual. to agree or object and without violating 
e Requires reports of such without an authorization if HIPAA because 
autopsies to be disclosed, it is required by law and is such disclosures are 
upon request, to the limited to the required by law. 
personal representative or requirements of such law. 
administrator of the 
deceased’s estate, the 
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surviving spouse, any 
surviving child, parent, 
brother or sister of the 
deceased. 
Reporting of Suspected Preemption Exception No State e CEs may report 
Cases of Sudden Infant §160.203(c) deaths to the county 
Death Syndrome (SIDS) e Generally, HIPAA coroner or medical 
§194.117 preempts contrary state examiner under state 
19 CSR 40-3.010 laws. law without 
e Any person who first e One exception to that rule violating HIPAA 
discovers or acquires is when the state law because such reports 
knowledge of the death provides for the reporting are exempted from 
of an infant between | of disease or injury, child preemption and their 
week and | year old must abuse, birth or death, or disclosure is 
report it to the county for the conduct of public required by law and 
coroner or medical health surveillance, is a permissible 
examiner when the child investigation or public health 
died suddenly when in intervention. activity. 
apparent good health. Because the coroner 
e Coroner or medical As Required by Law and medical 
examiner shall notify §164.512(a) examiner are not 
DHSS of the results of e CEs may use or disclose CEs, HIPAA does 
the autopsy. PHI without giving the not regulate their 
e Pathologist who performs individual the opportunity release of PHI. State 
the autopsy shall, upon to agree or object and law should be 
request by the parents or without an authorization if followed. 
guardian, release autopsy it is required by law and is 
results to the parents, limited to the 
guardian or family requirements of such law. 
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physician in cases of 
suspected SIDS. 


Public Health Activities 

§164.512(b)(1) (i) 

e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 


Covered Entity 

§160.103 

e A covered entity includes 
health care providers that 
transmit health 
information in electronic 
form in connection with a 
transaction covered by 
HIPAA. 








Bodies of Paupers: 

Disposal and Distribution 

§§194.150 and 194.160 

e Hospitals and other 
entities having custody of 
the body of any deceased 
person required to be 
buried at public expense 
are required to notify the 





Individually Identifiable 

Health Information 

§160.103 

e Individually identifiable 
health information 
includes health 
information relating to 
past present or future 
physical or mental health 








State 





e The body of a 
deceased person 
may be considered 
PHI to the extent the 
identity of the corpse 
is identifiable by its 
appearance. 

e CEs may provide the 
notification and 
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Missouri State or condition of an delivery of a body to 

Anatomical Board and individual. the Missouri State 

deliver the body to the Anatomical Board 

board, which is then As Required by Law under state law 

authorized to deliver the | §164.512(a) without violating 

body to educational e CEs may use or disclose HIPAA because it is 

institutions to use for the PHI without giving the required by state 

study of human anatomy. individual the opportunity law. 

Bodies delivered to to agree or object and 

educational institutions without an authorization if 

must have name and it is required by law and is 

cause of death in the limited to the 

record being sent with requirements of such law. 

body. 
Uniform Anatomical Gift As Required by Law No State e Review of records e To the extent the 
Act §164.512(a) under the Uniform Uniform Anatomical 
§§194.220, 194.260, e CEs may use or disclose Anatomical Gift Act Gift Act does not 
194.263, 194.265, 194.295 PHI without giving the under Missouri law limit or supersede 

individual the opportunity is permissible under §7001 of the 

§194.220 to agree or object and HIPAA to the extent Electronic 
e Establishes an organ and without an authorization if that it is required by Signatures in Global 

tissue donor registry. it is required by law and is law. and National 

limited to the e In addition, the Commerce Act (15 

§194.260 requirements of such law. permitted access to USC §7001 et seq.), 
e Requires a record search records for purposes which generally 

to determine if individual | TPO of ensuring the treats electronic 

who is dead or near death | §164.506 medical suitability signatures, contracts 

wishes to be an organ e CEs may use and disclose of a donation is or other records as 

donor. PHI for treatment, permissible under valid, it should 
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§194.263 

e@ Requires access to 
documents evidencing an 
anatomical gift or refusal 
by a deceased individual. 


§194.265 

e Permits examination of 
medical records of donor 
or prospective donor by 
hospital personnel and 
the person receiving the 
donation to ensure the 
medical suitability of the 
donation. 


§194.294 

e The Uniform Anatomical 
Gift Act supersedes and 
limits the Electronic 
Signatures in Global and 
National Commerce Act 
(15 USC §7001 et seq.) 
except for §7001 of that 
act (which generally 
treats electronic 
signatures, contracts or 
other records as valid). 
However, the Uniform 
Anatomical Gift Act does 





payment and health care 
operations. 











HIPAA because it is 
for treatment 
purposes. 





facilitate electronic 
exchange of health 
information. 
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not authorize electronic 
delivery of the notices 
described in 15 USC 
§7003(b). 
Pug Regulations 
Warrants for Health Oversight Activities No State e CEs may disclose 
Administrative Inspections | §164.512(d) PHI to law 
§195.375 e CEs may disclose PHI to enforcement 
e A judge may issue health oversight agencies officials executing a 
warrants for for oversight activities warrant issued under 
administrative authorized by law, this section of 
inspections pursuant to including audits, Missouri law 
the Comprehensive Drug investigations, without violating 
Control Act of 1989. inspections, licensure etc. HIPAA because 
such disclosure is a 
permissible health 
oversight activity 
and has a valid law 
enforcement 
purpose. 
Prescriptions, Orders, As Required by Law No State e CEs may disclose 
Records and Stocks of §164.512(a) PHI related to 
Controlled Substances e CEs may use or disclose controlled 
§195.415 PHI without giving the substances under 
e Federal, state, county and individual the opportunity this Missouri statute 
municipal officers may to agree or object and without violating 
inspect prescriptions, without an authorization if HIPAA because 
orders, records and it is required by law and is such disclosure is 
64 











enforcement purposes. 

e Officers may not further 
disclose such information 
unless pursuant to a 
prosecution or 
proceeding in court or 
before a licensing or 
registration board. 








Covered Entity 

§160.103 

e A covered entity includes 
health care providers that 
transmit health 
information in electronic 
form in connection with a 
transaction covered by 
HIPAA. 











e Because law 
enforcement officers 
are not CEs under 
HIPAA, their 
disclosure is not 
governed by 
HIPAA. However, 
it is limited by this 
section of state law. 
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stocks of controlled limited to the required by state 
substances for law requirements of such law. law. 
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Licensure: Hospitals, Health Oversight Activities No State e CEs may disclose 
Ambulatory Surgical §164.512(d) PHI to DHSS during 
Centers, Hospices and e CEs may disclose PHI to surveys and 
Home Health Agencies health oversight agencies investigations under 
§§197.100, 197.230, for oversight activities these sections 
197.258, 197.425 authorized by law, without violating 
19 CSR 30-20.015(5) & (6) including audits, HIPAA because it is 
(hospitals) investigations, a permissible health 
19 CSR 30-30.020(1)(A)(5) inspections, licensure etc. oversight activity. 
(ASCs) 
19 CSR 30-35.030(2) 
(hospices) 
19 CSR 30-26.010(2)(E) 
(home health agencies) 
e DHSS has authority to 

investigate and survey 

hospitals, ASCs hospices 
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and home health 
agencies. 

The authority of DHSS 
specifically includes 
access to all information 
related to patient care. 








Whistleblower Provisions 
§197.285 


If certain requirements 
are met, employees of 
hospitals and ambulatory 
surgical centers and their 
compliance or 
management officials 
may disclose to DHSS 
and other appropriate 
governmental authorities 
information relevant to 
reports of facility 
mismanagement, 
violations of law and the 
ability of employees to 
successfully perform 
their assigned duties. 





Health Oversight Activities 
§164.512(d) 


CEs may disclose PHI to 
health oversight agencies 
for oversight activities 
authorized by law, 
including audits, 
investigations, 
inspections, licensure etc. 








State 





e CEs, including their 
workforces, may 
disclose PHI to 
DHSS and other 
appropriate 
governmental 
authorities pursuant 
to state law without 
violating HIPAA 
because such 
disclosure is a 
permissible health 
oversight activity. 
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Licensure: Long-Term Health Oversight Activities No State e CEs may disclose 
Care Facilities §164.512(d) PHI to DHSS as part 
§§198.022, 198.526 e CEs may disclose PHI to of an inspection 
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19 CSR 30-85.012 et seq. health oversight agencies under state law 
19 CSR 30-86.012 et seq. for oversight activities without violating 
e DHSS is authorized to authorized by law, HIPAA because it is 
inspect all records of a including audits, a permissible health 
residential care facility I, investigations, oversight activity. 
a residential care facility inspections, licensure etc. 
II, an intermediate care 
facility and a skilled 
nursing facility. 
e §198.526 Division of 
Aging previously had 
authority to inspect all 
facilities licensed by such 
division. (The Division 
of Aging was transferred 
from DSS to DHSS). 
Long-Term Care Records: | Covered Entity No State e DHSS isaCEtothe | e DHSS must 
Release by DHSS §160.103 extent it is a health electronically record 
§198.032 e A covered entity includes care provider but it and maintain a 
e Places limitations on the health care providers that is a hybrid entity hotline caller log for 
release of confidential transmit health because it also has reporting of 
medical, social, personal information in electronic non-covered suspected abuse or 
or financial records of form in connection with a functions. neglect in long-term 
long-term care residents transaction covered by e Because the state care facilities. 
by DHSS. HIPAA. law limitations on 
e DHSS must disclosure of PHI by 
electronically record and _ | Hybrid Entity DHSS relate to its 
maintain a hotline caller | §164.504(a) function as a public 
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log for reporting of e A hybrid entity is a type health authority and 
suspected abuse or of covered entity that has not as a covered 
neglect in long-term care covered and non-covered health care provider, 
facilities. functions. Such entities HIPAA does not 
have the obligation to regulate such 
designate their health care disclosure. 
components. e Thus, disclosure by 
DHSS is governed 
Health Care Component by state law. 
§164.504(b) 
e HIPAA only applies to the 
health care component of 
a hybrid entity. 
Long-Term Care Facilities: | As Required by Law No State e CEs may disclose 
Audits §164.512(a) PHI to the State 
§198.052 e CEs may use or disclose Auditor pursuant to 
e Authorizes the State PHI without giving the state law without 
Auditor to examine and individual the opportunity violating HIPAA 
audit facility records to agree or object and because such 
relating to the operation without an authorization if disclosure is 
of a residential care it is required by law and is required by law. 
facility I, a residential limited to the e Subsequent 
care facility II, an requirements of such law. disclosure of PHI by 
intermediate care facility the State Auditor is 
or a skilled nursing Covered Entity not governed by 
facility. §160.103 HIPAA because the 
e Places certain limitations | e A covered entity includes auditor is not a CE. 
of further disclosure by health care providers that e Disclosure by the 
the auditor. transmit health auditor is limited by 
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information in electronic the provisions of 
form in connection with a state law. 
transaction covered by 
HIPAA. 
Abuse or Neglect of Long- | Victims of Abuse, Neglect or | Yes HIPAA e CEs may report 
Term Care Residents Domestic Violence abuse to DHSS 
§198.070 §164.512(c) under state law 
e Certain individuals and e CE may disclose PHI to without violating 
entities are required to an agency authorized to HIPAA because 
report to DHSS when receive information about such reporting is 
they have reasonable an individual believed to required by law. 
cause to believe that a be a victim of abuse, e However, to the 
resident of a residential neglect or domestic extent HIPAA 
care facility I, a violence to the extent such requires notice to the 
residential care facility I, disclosure is required by individual, it is more 
an intermediate care law and complies with the stringent and must 
facility or a skilled requirements of that law. be followed. 
nursing facility has been | e If the CE discloses PHI 
abused or neglected. pursuant to this section of 
HIPAA, it must inform 
the individual of the 
disclosure except for 
certain delineated 
situations where the safety 
of the individual is at risk. 
As Required by Law 
§164.512(a); 164.512(a)(2) 
e CEs may use or disclose 
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PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
e CEs must meet additional 
requirements for 
disclosures for 164.512 
(c), (e), and (f). 
Licensure: Alzheimer’s Health Oversight Activities No State e CEs may disclose 
Category §164.512(d) PHI to DHSS 
§198.086 e CEs may disclose PHI to pursuant to its 
e Creates a pilot project for health oversight agencies licensure activities 
the development of a for oversight activities without violating 
licensing category for authorized by law, HIPAA because it is 
treatment of Alzheimer’s including audits, a permissible health 
patients. investigations, oversight activity. 
e Pilot projects are inspections, licensure etc. 
monitored by DHSS, 
which has access to 
patient information. 
Patient Rights: Long-Term | §§164.506, 164.508, 164.510 % % e CEs may release the 
Care Residents and 164.512 PHI of residents 
§198.088 e Various uses and only if both state law 
e Rights of long-term care disclosures are authorized and HIPAA would 
residents include, among in these sections of otherwise authorize 
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other things, the right to HIPAA, provided certain such disclosure. 
confidential treatment, requirements are met. Note that under state 
which prohibits the law, the consent of 
release of information the resident is 
about the resident’s required unless the 
treatment without person is otherwise 
written consent of the authorized by law to 
resident unless the receive the 
person is otherwise information. 
authorized by law to eT he circumstances 
receive it. of permitted 
disclosures of such 
PHI under Missouri 
law are covered 
elsewhere in this 
analysis. 
Fraud Investigation As Required by Law No State CEs may disclose 
Division §164.512(a) PHI pursuant to a 
§§198.161 and 198.180 e CEs may use or disclose fraud investigation 
e Allows the director of the PHI without giving the under state law 
Fraud Investigation individual the opportunity without violating 
Division of the to agree or object and HIPAA because 
Department of Social without an authorization if such disclosure is 
Services to investigate it is required by law and is required by state law 
suspected fraud limited to the and is a permissible 
violations and audit and requirements of such law. health oversight 
inspect records of long- activity. 
term care providers. Health Oversight Activities 
§164.512(d) 
gil 
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e CEs may disclose PHI to 
health oversight agencies 
for oversight activities 
authorized by law, 
including audits, 
investigations, 
inspections, licensure etc. 
Licensure: Disclosure of Authorizations Yes HIPAA e@ CEs may not 
Long-Term Care §164.508 disclose PHI that is 
Investigation Results e Except as otherwise included in an 
§198.532 permitted under HIPAA, a investigation report 
e Results of investigations CE may not use or to residents, family 
of long-term care disclose PHI without an members, guardians 
facilities under Chapter authorization. or the public under 
198, RSMo may be e The content of such this provision of 
disclosed by DHSS with authorization must comply state law because 
certain limitations. This with HIPAA standards. HIPAA is more 
section allows for reports stringent in that 
to be provided by DHSS __| De-identification of PHI HIPAA would 
and the long-term care §164.514 require an 
facility to any of the e Lists all elements of PHI authorization or de- 
facility’s residents or that must be eliminated in identification of the 
their family members or order to de-identify the PHI. 
guardians upon request PHI. e Though individuals 
and to the public, are generally entitled 
provided that “personal to the information in 
information identifying their designated 
the resident” is “blanked record set, reports of 
out.” investigations are 
12 
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not part of those 
record sets and thus 

an authorization is 
required for 
disclosure of such 
investigation records 
to the individual or 
their personal 
representative. 

e The “blanking out” 
of “personal 
information 
identifying the 
resident” must 
comply with the 
HIPAA de- 
identification 
requirements in 
order to allow 
disclosure without a 
HIPAA compliant 
authorization. 


Rehabilitation Facilities: 
Confidentiality of Records 





























§199.033 
General Confidentiality Uses and Disclosures: No State e Records of 
e Makes records of General Rules rehabilitation 
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rehabilitation facilities §164.502 facilities are 
confidential. e CEs may not use or confidential under 
disclose PHI except as both state law and 
permitted under HIPAA. HIPAA. 
Required Disclosures As Required by Law No State e CEs may disclose 
e Requires disclosure of §164.512(a); 164.512(a)(2) patient information 
such patient information |e CEs may use or disclose and records of 
and records upon request PHI without giving the rehabilitation 
by certain individuals. individual the opportunity facilities to the 
to agree or object and individuals listed in 
without an authorization if $199.033.2, RSMo 
it is required by law and is without violating 
limited to the HIPAA because it is 
requirements of such law. required by state 
e CEs must meet additional law. 
Permitted Disclosures requirements for 
e Permits disclosure of disclosures for 164.512 
patient information and (c), (e), and (f) 
records under the any of 
the following 
circumstances: 
1. As authorized by Authorizations Yes HIPAA e Because HIPAA is 
the patient. §164.508 more stringent than 
e Except as otherwise state law with 
permitted under HIPAA, a respect to the 
CE may not use or contents of an 
disclose PHI without an authorization, it 
authorization. preempts state law. 
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e The content of such e Thus, CEs may not 

authorization must comply disclose information 

with HIPAA standards. and records of 
patients at 
rehabilitation 
facilities as 
permitted under state 
law unless the 
authorization is 
HIPAA compliant or 
a HIPAA exception 
applies. 

2. To those TPO Yes HIPAA e Because disclosure 
responsible for §164.506 of PHI by CEs that 
providing health e CEs may use and disclose are direct treatment 
care. PHI for treatment, providers for TPO 

3. As necessary to payment and health care under HIPAA 
make a claim for operations. requires compliance 
payment. with requirements 

4. To qualified Notice of Privacy Practices for the HIPAA NPP 
personnel for the §164.520(c)(2) acknowledgment, 
purpose of e CEs that are direct HIPAA is more 
conducting treatment providers must stringent than state 
research, provide the NPP to their law. 
management patients and attempt to e Thus, CEs that are 
audits, financial obtain a written direct treatment 
audits, program acknowledgment of providers may 
evaluations or receipt of the NPP. disclose PHI to those 
similar studies. responsible for 

i) 
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Research providing treatment, 
§164.512(i) to make a claim for 
e CEs may use and disclose payment or for 
PHI for research purposes operational purposes 
if meet certain such as audits and 
requirements. evaluations only if 
they comply with the 
more stringent 
requirements for the 
HIPAA NPP 
acknowledgment. 

e If the disclosure is 
for research 
purposes, CEs must 
comply with 
HIPAA’s more 
stringent disclosure 
requirements. 

5. To the courts as Judicial and Administrative | Yes HIPAA e Though this portion 
necessary for the Proceedings of §199.033, RSMo 
administration of §164.512(e)(1)(i) does not have any 
$$199.001 to e CEs may disclose PHI in requirements for 
199.055, RSMo the course of any judicial disclosure to the 
(injury prevention, or administrative courts for the 
head injury proceeding in response to delineated purpose, 
rehabilitation and an order by the court or HIPAA has more 
local health administrative tribunal or, stringent 
services). if certain circumstances requirements that 

are met, in response to a must be met if the 
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subpoena, discovery request for records 
request or other lawful comes in any form 
process. other than a court or 


administrative order. 
e Thus, CEs must 
follow HIPAA 


before disclosing 
records to the courts 


as permitted under 
this Missouri statute. 











6. To law Law Enforcement Purposes Yes HIPAA Law Enforcement 
enforcement §164.512(f) Officers 
officers or public | @e CEs may disclose PHI for e Though HIPAA 
health officers to certain law enforcement limits access by law 
the extent purposes if they meet enforcement as it 
necessary for them applicable requirements. relates to some of 
to carry out their their duties, this 
duties. provision of 


Missouri law would 
allow access as it 
relates to any of 
their duties. Thus, 




















HIPAA is more 
stringent and must 
be followed. 

Public Health Activities No State Public Health Officers 

§164.512(b)(1) (i) e Access by public 

e CEs may disclose PHI to a health officers under 
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public health authority Missouri law could 
authorized to receive such contemplate both 
information for the public health 
purpose of preventing or activities and health 
controlling disease, injury oversight activities 
or disability. under HIPAA. The 
laws do not appear 

Health Oversight Activities to conflict so CEs 

§164.512(d) may disclose PHI 

e CEs may disclose PHI to pursuant to this 
health oversight agencies portion of §199.033, 
for oversight activities RSMo without 
authorized by law, violating HIPAA. 
including audits, 
investigations, 
inspections, licensure etc. 

7. Pursuant to an Judicial and Administrative Yes State e Though HIPAA 
order of acourt or | Proceedings would allow 
administrative §164.512(e)(1)() disclosure to courts 
agency of e CEs may disclose PHI in and administrative 
competent the course of any judicial agencies without a 
jurisdiction. or administrative court order if certain 

proceeding in response to conditions are met, 
an order by the court or Missouri law 
administrative tribunal or, requires a court 
if certain circumstances order in this portion 
are met, in response to a of §199.033, RSMo. 
subpoena, discovery Thus, Missouri law 
request or other lawful is more stringent and 
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process. CEs may only 
disclose patient 
records of 
rehabilitation 
facilities under this 
section with a court 
order. 
8. To DHSS as Victims of Abuse, Neglect or | Yes HIPAA e To the extent 
necessary to report | Domestic Violence HIPAA requires 
or investigate §164.512(c) appropriate notice to 
abuse, neglect or e CEmay disclose PHI to the individual for 
violations of an agency authorized to reports of abuse and 
patients’ rights. receive information about neglect other than 
an individual believed to child abuse or 
be a victim of abuse, neglect, HIPAA is 
neglect or domestic more stringent than 
violence to the extent such state law, which 
disclosure is required by does not require any 
law and complies with the notice to the abused 
requirements of that law. or neglected 
e If the CE discloses PHI individual. 
pursuant to this section of CEs may report abuse 
HIPAA, it must inform under this section only if 
the individual of the they provide the 
disclosure except for appropriate notice to the 
certain delineated abused/neglected 
situations where the safety individual under 
of the individual is at risk. HIPAA. 
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Commitment and 

Hospitalization of 

Tuberculosis (TB) Patients 

§§199.170; 199.180, 

199.200; 199.240; 199.270 

19 CSR 20-20.100 

§199.170 TPO Yes HIPAA e If the local board is 

e “Local board” is defined | §164.506 considered to be a 
as any legally constituted | e CEs may use and disclose CE, its disclosure of 
local city or county board PHI for treatment, PHI for treatment 
of health or health center payment and health care purposes, such as 
board of trustees or the operations. disclosure to the 
director of health of the court as part of 
city of Kansas City or the | Notice of Privacy Practices commitment 
commissioner of health §164.520(c)(2) proceedings, is 
of the city of St. Louis, or | e CEs that are direct governed by 
in the absence of such a treatment providers must HIPAA. 
board, the county provide the NPP to their e Because the 
commission or the patients and attempt to disclosure of PHI by 
county board of obtain a written CEs that are direct 
tuberculosis hospital acknowledgment of treatment providers 
commissioners of any receipt of the NPP. for TPO under 
county. HIPAA requires 

Covered Entity compliance with the 

§199.180 §160.103 requirements for the 

e The “local board” may e A covered entity includes HIPAA NPP 
file a petition for the health care providers that acknowledgment, 
commitment of certain transmit health HIPAA is more 
patients with TB. information in electronic stringent than state 

80 


1664508.6 


*This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal 


and enforceable in accordance with the law per RSMo. §432.230. 
































Missouri Statute HIPAA Privacy Regulations | Con- | State Law | Discussion and Implications for 
flict? | or HIPAA? | Conclusion Electronic HIE 
form in connection with a law. 
§199.200 transaction covered by e Thus, if the local 
e Examination records HIPAA. board is considered a 
admissible in court. CE that is a direct 
treatment provider, it 
§199.240 may disclose PHI by 
e Cannot require TB filing a petition with 
patients to submit to the court under this 
treatment without the provision of state 
patient’s consent. law only if it 
complies with the 
§199.270 more stringent 
e Procedure for release of requirements for the 
committed TB patient. HIPAA NPP 
acknowledgment. 
19 CSR 20-20.100 Public Health Activities No State e@ CEs may report 
e Requires suspected or §164.512(b)(1)(i) cases of TB to 
confirmed cases of TB to | e CEs may disclose PHI to a public health 
be reported to DHSS ora public health authority authorities pursuant 
local health authority. authorized to receive such to Missouri law 
information for the without violating 
purpose of preventing or HIPAA because it is 
controlling disease, injury a permissible public 
or disability. health activity. 
As Required by Law 
§164.512(a) 
e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
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to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 

Po County Health and Welfare Programs 
DMH: Information As Required by Law No State The collection of 
Collection from §164.512(a) information by 
Community Mental Health | e CEs may use or disclose DMH could involve 
Centers PHI without giving the PHI that does not 
§205.988 individual the opportunity “identify” an 
e Lists certain duties of to agree or object and individual under 

DMH with respect to without an authorization if Missouri law but 
community mental health it is required by law and is may be different 
centers. limited to the from “de-identified” 
e One such duty is to requirements of such law. information under 
develop and collect HIPAA. 
information needed to Health Oversight Activities CEs may disclose 
perform its duties in a §164.512(d) PHI to DMH as part 
manner that does not e CEs may disclose PHI to of this collection 
identify any individual health oversight agencies process without 
who received services for oversight activities violating HIPAA 
from a community authorized by law, because such 
mental health center as including audits, disclosure is 
defined in §205.975, investigations, required by state law 
RSMo. inspections, licensure etc. and is a permissible 
health oversight 
De-identification of PHI activity. 
§164.514 
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e Lists all elements of PHI 
that must be eliminated in 
order to de-identify the 
PHI. 

[| Old Age Assistance, Aid to Dependent Children and General Relief 
Medicaid Program Covered Entity No State @ Mo HealthNet is a 
§§208.155, 208.164, §160.103 CE to the extent it is 
208.175, 208.176, 208.201, e A covered entity includes a covered health 
208.204, 208.215 and health care providers that plan but it is a 
208.217 transmit health hybrid entity 

information in electronic because it has non- 
§208.155 form in connection with a covered functions 
e Records of applicants transaction covered by such as health care 
and recipients are HIPAA. oversight. 
confidential. e To the extent Mo 
Hybrid Entity HealthNet uses and 
§208.164 §160.103 discloses PHI for 
e Confidential reporting of | e A hybrid entity is a CE TPO in its capacity 
fraud and abuse. whose business activities as a health plan, it 
e@ Oversight/review of include both covered and may do so in 
claims records non-covered functions. compliance with 
e Investigation and state law without 
sanctions for fraud or Health Care Component violating HIPAA 
abuse. §164.504(b) because the NPP 
HIPAA only applies to the acknowledgment 
§208.175 health care component of a requirements only 
e Drug Utilization Review | hybrid entity. apply to direct 
Board for oversight of treatment providers. 
drug use and prescribing e To the extent Mo 
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practices under the Health Oversight Activities HealthNet uses and 
Medicaid program. §164.512(d) discloses PHI for 
e CEs may disclose PHI to one of its non- 
§208.176 health oversight agencies covered functions, 
e Prospective review of for oversight activities HIPAA does not 
drug therapy authorized by law, apply and state law 
e For children in legal including audits, should be followed. 
custody of Dept of Social investigations, e CEs may use or 
Services, the Dept must inspections, licensure etc. disclose PHI to 
provide for medical DMS for health care 
treatment and disclose TPO oversight purposes 
relevant information §164.506 without violating 
about such treatment to e CEs may use and disclose HIPAA. 
the appropriate judge. PHI for treatment, 
payment and health care 
§208.201 operations. 
e Mo HealthNet 
established to replace Notice of Privacy Practices 
Division of Medical §164.520(c)(2) 
Services (DMS) e@ CEs that are direct 
treatment providers must 
§280.215 provide the NPP to their 
e Recoupment of funds patients and attempt to 
paid by Medicaid obtain a written 
program that are later acknowledgment of 
reimbursed by another receipt of the NPP. 
individual/entity. 
§208.217 
e Dept of Social Services 
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may obtain insurance 
information on patients 
who receive benefits 
under state Medicaid 
program. 
| Aid ‘to the Blind-Rights of Persons with Visual, Hearing or Physical Disabilities 
Interpreters for Deaf and Authorizations Yes HIPAA Consent/Authorization 
Speech Impaired Persons §164.508 e To the extent 
§§209.263, 209.265 and e Except as otherwise Missouri law 
209.339 permitted under HIPAA, a permits disclosure of 
§§209.263 and 209.265 CE may not use or PHI with the 
e Information provided to a disclose PHI without an “consent” or 
person who interprets, authorization. “written permission” 
translates or relays a e The content of such of the patient, it is 
conversation between a authorization must comply preempted by 
person who can hear and with HIPAA standards. HIPAA, which has 
deaf person is more stringent 
confidential and may not requirements 
be disclosed without the concerning the 
consent or written content of an 
permission of the deaf authorization. 
person or a court order. e Thus, CEs may not 
e Information that would disclose the contents 
be privileged is still of an interpreted 
privileged even if an conversation under 
auxiliary aid and service state law unless a 
provider or relay agent is HIPAA compliant 
used. authorization is 
obtained. 
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Reporting of Blood Tests of 
Pregnant Women 








individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 


Preemption Exception 
§160.203(c) 





No 





State 








conversation as part 
of the licensure/ 
disciplinary process 
under state law 
without violating 
HIPAA because it is 
required by law. 


e CEs may report 
information about 
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§209.339 Judicial and Administrative No State Court Order 
e The contents of the Proceedings e To the extent 
interpreted conversation | §164.512(e)(1)() Missouri law would 
may not be withheld e CEs may disclose PHI in permit disclosure 
when requested as part of the course of any judicial pursuant to a court 
procedures for or administrative order, CEs may do 
disciplining a licensee or proceeding in response to so without violating 
in determining whether an order by the court or HIPAA. 
an individual has administrative tribunal or, 
practiced interpreting if certain circumstances 
without a license. are met, in response to a 
subpoena, discovery 
request or other lawful 
process. 
As Required by Law No State Licensing/Discipline 
§164.512(a) e CEs may disclose 
e CEs may use or disclose the contents of an 
PHI without giving the interpreted 
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§§210.040 and 210.050 e Generally, HIPAA blood tests on 
preempts contrary state pregnant women as 
e 210.040 Positive results laws. required under state 
for syphilis or hepatitis B | e One exception to that rule law without 
must be reported to the is when the state law violating HIPAA 
county or municipal provides for the reporting because such reports 
department of health of disease or injury, child are exempted from 
where the pregnant abuse, birth or death, or preemption and their 
woman resides. for the conduct of public disclosure is 
health surveillance, required by law and 
e@ §210.050 When investigation or is a permissible 
reporting births and intervention. public health 
stillbirths as required by activity. 
law, physicians and As Required by Law 
others must also report §164.512(a) 
whether a blood test for e CEs may use or disclose 
syphilis was performed, PHI without giving the 
including the date and individual the opportunity 
location of the test, or, if to agree or object and 
no test, the reason for not without an authorization if 
conducting the test. They it is required by law and is 
must also report whether limited to the 
a blood test for hepatitis requirements of such law. 
B was performed. 
Public Health Activities 
§164.512(b)(1) (i) 
e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
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purpose of preventing or 
controlling disease, injury 
or disability. 
Reporting of Infant Eye Preemption Exception No State e CEs may report 
Inflammation §160.203(c) infant eye 
§§210.070 and 210.080 e Generally, HIPAA inflammation as 
e Requires certain preempts contrary state required under state 
physicians, midwives and laws. law without 
nurses to deliver e@ One exception to that rule violating HIPAA 
prophylactic drops in the is when the state law because such reports 
eyes of newborns and provides for the reporting are exempted from 
then report compliance to of disease or injury, child preemption and their 
the board of health or abuse, birth or death, or disclosure is 
county physician of the for the conduct of public required by law and 
city, town or county health surveillance, is a permissible 
where the birth occurs. investigation or public health 
e@ Requires reporting of intervention. activity. 
certain cases of infant 
eye inflammation within | As Required by Law 
first two weeks after §164.512(a) 
birth. e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
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Public Health Activities 
§164.512(b)(1) (i) 
e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 
Reporting and Preemption Exception No State e CEs may report 
Investigation of Child §160.203(c) child abuse or 
Abuse e Generally, HIPAA neglect as required 
§§210.109; 210.111; preempts contrary state under state law 
210.115; 210.120; 210.125; laws. without violating 
210.130; 210.140; 210.145; | @ One exception to that rule HIPAA because 
210.150; 210.152; 210.160; is when the state law such reports are 
210.167; 210.183 provides for the reporting exempted from 
e@ Covers persons and of disease or injury, child preemption and their 
officials who must report abuse, birth or death, or disclosure is 
or cause a report to be for the conduct of public required by law 
made to DHSS if they health surveillance, and/or is a 
have reasonable cause to investigation or permissible public 
suspect that a child has intervention. health activity. 
been or may be subjected 
to abuse or neglect or As Required by Law 
observes a child being §164.512(a) 
subjected to e CEs may use or disclose 
circumstances that would PHI without giving the 
reasonably result in individual the opportunity 
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abuse or neglect. to agree or object and 
e All other persons not without an authorization if 
listed in 210.115 may it is required by law and is 
report suspected child limited to the 
abuse or neglect requirements of such law. 
Public Health Activities 
§164.512(b)(1) (ii) 
e CEs may disclose PHI to a 
public health authority 
authorized to receive 
reports of child abuse or 
neglect. 
Death of Children: Child Preemption Exception No State e CEs may report 
Fatality Review Panel §160.203 deaths to be 
§§210.192 and 210.196 e Generally, HIPAA reviewed by the 
e The Child Fatality preempts contrary state Child Fatality 
Review Panel reviews laws. Review Panel under 
deaths of certain children | e One exception to that rule state law without 
under the age of eighteen is when the state law violating HIPAA 
years. provides for the reporting because such reports 
e The panel issues a final of disease or injury, child are exempted from 
report of each abuse, birth or death, or preemption and their 
investigation, which is a for the conduct of public disclosure is 
public record. health surveillance, required by law and 
e DHSS reviews the investigation or is a permissible 
reports and periodically intervention. public health 
prepares epidemiological activity. 
reports describing the e Though members of 
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incidence, causes, As Required by Law the panel may be 
location and other factors | §164.512(a) CEs, the panel itself 
pertaining to childhood e CEs may use or disclose is not. It has no 
deaths. PHI without giving the covered functions. 
Hospitals, physicians, individual the opportunity Thus, disclosure by 
medical professionals, to agree or object and the panel is not 
mental health without an authorization if covered by HIPAA. 
professionals or DMH it is required by law and is e Disclosure by DHSS 
facilities are required to limited to the in the form of 
disclose upon request all requirements of such law. epidemiological 
records of children reports could 
whose deaths are eligible | Public Health Activities involve PHI that is 
to be reviewed by the §164.512(b) not de-identified 
panel. e CEs may disclose PHI to a because it has the 
public health authority location of the death. 
authorized to receive such Though DHSS may 
information for the be considered a 
purpose of preventing or hybrid entity, the 
controlling disease, injury release of 
or disability. epidemiological 
reports is not a 
Covered Entity covered function and 
§160.103 thus would not be 
e A covered entity includes governed by 
health care providers that HIPAA. 
transmit health 
information in electronic 
form in connection with a 
transaction covered by 
HIPAA. 
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Hybrid Entity 
§164.504(a) 
e A hybrid entity is a type 
of covered entity that has 
covered and non-covered 
functions. Such entities 
have the obligation to 
designate their health care 
components. 
Health Care Component 
§164.504(b) 
e HIPAA only applies to the 
health care component of 
a hybrid entity. 
De-identification of PHI 
§164.514 
e Lists all elements of PHI 
that must be eliminated in 
order to de-identify the 
PHI. 
Permanency Hearings Judicial and Administrative Yes HIPAA e CEs may not 
§210.720 Proceedings disclose PHI at a 
e Court shall consider the §164.512(e)(1)() permanency hearing 
mental and physical e CEs may disclose PHI in unless for disclosure 
health of all individuals the course of any judicial as part of judicial 
involved including any or administrative and administrative 
history of abuse. proceeding in response to proceedings. 
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an order by the court or e Need court order, 
administrative tribunal or, administrative order 
if certain circumstances or, in certain 
are met, in response to a circumstances, 
subpoena, discovery subpoena, discovery 
request or other lawful request or other 
process. lawful request. 
As Required by Law 
§164.512(a); 164.512(a)(2) 
e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
e CEs must meet additional 
requirements for 
disclosures for 164.512 
(c), (e), and (f). 
Paternity Hearings Uses and Disclosures: Yes HIPAA e Though the 
§210.832 General Rules information 
e The testimony of a §164.502 disclosed under this 
physician at a paternity e CEs may not use or provision of 
hearing about the disclose PHI except as Missouri law is not 
medical circumstances of permitted under HIPAA. privileged under 
the pregnancy and the state law, HIPAA is 
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condition of the child at | Authorizations more stringent in 
birth is not privileged. §164.508 that it prohibits 
e Except as otherwise disclosure unless 
permitted under HIPAA, a pursuant to a valid 
CE may not use or authorization or an 
disclose PHI without an appropriate 
authorization. exception. 
e The content of such e Thus, CEs may not 
authorization must comply disclose PHI at a 
with HIPAA standards. paternity hearing 
unless they follow 
Judicial and Administrative the HIPAA 
Proceedings requirements for an 
§164.512(e)(1)(i) authorization or the 
e CEs may disclose PHI in requirements for 
the course of any judicial disclosure as part of 
or administrative judicial and 
proceeding in response to administrative 
an order by the court or proceedings. 
administrative tribunal or, e Need valid HIPAA 
if certain circumstances authorization, court 
are met, in response to a order, administrative 
subpoena, discovery order, or in certain 
request or other lawful circumstances, a 
process. subpoena, discovery 
request or other 
lawful request. 
Paternity Cases: Required | Judicial and Administrative No State e CEs may disclose 
Blood Tests Proceedings the results of blood 
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§210.834 

e The court may and upon 
request of any party 
require another party to 
the action and any male 
witness to submit to 
blood tests and have 
results disclosed in a 
paternity case. 


Juveniles and 17-year-olds: 





§164.512(e)(1)(i) 


CEs may disclose PHI in 
the course of any judicial 
or administrative 
proceeding in response to 
an order by the court or 
administrative tribunal or, 
if certain circumstances 
are met, in response to a 
subpoena, discovery 
request or other lawful 
process. 


As Required by Law 
§164.512(a); 164.512(a)(2) 


CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
CEs must meet additional 
requirements for 
disclosures for 164.512 
(c), (e), and (f). 


As Required by Law 





No 





State 





tests in a paternity 
case based on an 
order of the court 
under §210.834, 
RSMo without 
violating HIPAA 
because both state 
law and HIPAA 
permit disclosure in 
response to a court 
order. 


e CEs may disclose 
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Court-Ordered Physical or | §164.512(a); 164.512(a)(2) their evaluation of a 
Mental Examinations e CEs may use or disclose child or 17-year-old 
§§211.161, 211.202 and PHI without giving the to the court under 
211.203 individual the opportunity these Missouri 
§211.161 to agree or object and statutes without 
e A court may order a child without an authorization if violating HIPAA 

or 17-year-old within the it is required by law and is because such 

juvenile court’s limited to the disclosure is 

jurisdiction to be requirements of such law. required by law and 

examined by a physician, | e CEs must meet additional will ordinarily be in 

psychiatrist or requirements for response to an order 

psychologist appointed disclosures for 164.512 of the court. 

by the court in order to (c), (e), and (f) 

determine the condition 

of the individual as it Judicial and Administrative 

may be relevant to the Proceedings 

disposition of such §164.512(e)(1)(i) 

individual’s case. e@ CEs may disclose PHI in 
§211.202 the course of any judicial 
e Acourt may order a child or administrative 

or 17-year-old within the proceeding in response to 

juvenile court’s an order by the court or 

jurisdiction to be administrative tribunal or, 

examined by a physician, if certain circumstances 

psychiatrist or are met, in response to a 

psychologist appointed subpoena, discovery 

by the court or by the request or other lawful 

department of mental process. 

health if the child appears 

to be mentally disordered 
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(other than mentally 
retarded or 
developmentally 
disabled). 

e Reports of such 
evaluations must be 
submitted to the court 
under certain 
circumstances. 

§211.203 

e Acourt may order a child 
or 17-year-old within the 
juvenile court’s 
jurisdiction to be 
examined by a physician, 
psychiatrist or 
psychologist appointed 
by the court or by the 
department of mental 
health if the child appears 
to be mentally retarded or 
developmentally 
disabled. 








Juveniles: Referral to 

DMH 

§211.207 

e The Division of Youth 
Services within the DSS 
may refer a child 





Covered Entity 

§160.103 

e A covered entity includes 
health care providers that 
transmit health 
information in electronic 





Yes 





HIPAA 





e DSS is a health care 
provider to the 
extent it is 
responsible for 
providing health 
care to youth in the 
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committed to its custody form in connection with a foster care program. 
to DMH for evaluation transaction covered by It is a health plan 
and a determination of HIPAA. because of DMS. 
whether the child needs e AsaCE, DSS must 
treatment for a mental Hybrid Entity comply with 
disorder. §164.504(a) HIPAA. 
e A hybrid entity is a type e [tis a hybrid CE 
of covered entity that has because it has 
covered and non-covered covered and non- 
functions. Such entities covered functions. 
have the obligation to e When the Division 
designate their health care of Youth Services of 
components. DSS refers a child to 
DMH under this 
Health Care Component provision of state 
§164.504(b) law, it is for 
e HIPAA only applies to the treatment purposes. 
health care component of e Because the 
a hybrid entity. disclosure of PHI by 
CEs that are direct 
TPO treatment providers 
§164.506 for TPO under 
e CEs may use and disclose HIPAA requires 
PHI for treatment, compliance with the 
payment and health care requirements for the 
operations. HIPAA NPP 
acknowledgment, 
Notice of Privacy Practices HIPAA is more 
§164.520(c) stringent than state 
e CEs that are direct law. 
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treatment providers must e Thus, to the extent 
provide the NPP to their DSS is a direct 
patients and attempt to treatment provider, it 
obtain a written may disclose PHI for 
acknowledgment of treatment purposes 
receipt of the NPP. only if it complies 
with the more 
stringent 
requirements for the 
HIPAA NPP 
acknowledgment. 

e DMH shall notify the As Required by Law No State e DMH, as a covered 
Division whether such §164.512(a) entity, may provide 
treatment is necessary. e CEs may use or disclose PHI to the Division 

PHI without giving the of Youth Services 
individual the opportunity under Missouri law 
to agree or object and without violating 
without an authorization if HIPAA because it is 
it is required by law and is required by law. 
limited to the 

requirements of such law. 

Parental Rights: Uses and Disclosures: Yes HIPAA e Though admission 

Termination General Rules of PHI at a 

§211.459 §164.502 proceeding for 

e Physician-patient e CEs may not use or termination of 
privilege cannot prohibit disclose PHI except as parental rights is 
the admission of permitted under HIPAA. permissible under 
evidence at a proceeding state law, HIPAA is 
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for the termination of 
parental rights. 














Authorizations 

§164.508 

e Except as otherwise 
permitted under HIPAA, a 
CE may not use or 
disclose PHI without an 
authorization. 

e The content of such 
authorization must comply 
with HIPAA standards. 


Judicial and Administrative 
Proceedings 
§164.512(e)(1) (i) 

e CEs may disclose PHI in 
the course of any judicial 
or administrative 
proceeding in response to 
an order by the court or 
administrative tribunal or, 
if certain circumstances 
are met, in response to a 
subpoena, discovery 
request or other lawful 
process. 




















more stringent and 
would require an 
authorization or 
appropriate judicial 
or administrative 
request. 

CEs may not 
disclose PHI at a 
termination 
proceeding unless 
they follow the 
HIPAA 
requirements for an 
authorization or the 
requirements for 
disclosure as part of 
judicial and 
administrative 
proceedings. 














DOC: Duties Covered Entity No State e DOC isa health care 
§217.015 §160.103 provider to the 
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e DOC is responsible for e A covered entity includes extent it provides 
ensuring that female health care providers that health care to its 
offenders are provided transmit health inmates. 
medical and mental information in electronic Such care is 
health care. form in connection with a ordinarily provided 
transaction covered by by contract with 
HIPAA. various health care 
providers. 

Hybrid Entity Because in all 

§164.504(a) likelihood, DOC, 

e A hybrid entity is a type either directly or by 
of covered entity that has contract, engages in 
covered and non-covered covered transactions 
functions. Such entities with respect to 
have the obligation to certain inmates, this 
designate their health care analysis assumes 
components. DOC is a CE. 

Because DOC also 

Health Care Component has non-covered 

§164.504(b) functions, it is a 

e HIPAA only applies to the hybrid entity, which 
health care component of means that HIPAA 
a hybrid entity. applies to its covered 

functions. 

DOC: Audits of Records As Required by Law No State As a CE, DOC may 
§217.070 §164.512(a) disclose PHI to the 
e The State Auditor shall e CEs may use or disclose State Auditor 

have access to all records PHI without giving the pursuant to state law 

maintained by DOC. individual the opportunity without violating 
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e Confidential records to agree or object and HIPAA because 
must be disclosed in a without an authorization if such disclosure is 
manner that does not it is required by law and is required by law but 
reveal “personally limited to the disclosure is limited 
identifiable information.” requirements of such law. by the requirements 
of that law. 
e Thus, the PHI must 
be disclosed by 
DOC without 
“personally 
identifiable 
information” as that 
term is interpreted 
under state law. 
DOC: Offender Medical As Required by Law No State e CEs may disclose 
Records §164.512(a) PHI to DOC under 
§217.075 e CEs may use or disclose this provision of 
e@ Medical records of PHI without giving the Missouri law 
offenders in the custody individual the opportunity without violating 
of DOC are closed to agree or object and HIPAA because 
records. without an authorization if such disclosure 1s 
e Health care providers and it is required by law and is required by law. 
hospitals that care for limited to the 
offenders are required to requirements of such law. 
provide copies of 
medical records upon 
demand by DOC’s health 
care administrator. 
e Such providers are not 
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liable for a breach of 
confidentiality under 
state law. 
DOC: Medical Excuse Hybrid Entity No State e DOC may disclose 
from Participation of §164.504(a) PHI as part of a 
Inmates in Required e A hybrid entity is a type medical excuse 
Activities of covered entity that has under state law 
§217.245 covered and non-covered without violating 
e The medical personnel of functions. Such entities HIPAA because 
a correctional institution have the obligation to such disclosure 
shall certify an inmate’s designate their health care relates to the 
reason for not being able components. administration of the 
to participate in required correctional system 
activities. As Required by Law and not to its 
§164.512(a) function as a health 
e CEs may use or disclose care provider. 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
Health Care Component 
§164.504(b) 
HIPAA only applies to the 
health care component of a 
hybrid entity. 
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DOC: Inmates with Hybrid Entity No State e DOC may disclose 
Terminal Illness or §164.504(a) PHI as it relates to 
Advanced Age e A hybrid entity is a type recommendations 
§217.250 of covered entity that has for parole or 
e When an inmate has a covered and non-covered commutation of an 
terminal illness or is of functions. Such entities inmate’s sentence 
such age that continued have the obligation to under state law 
confinement would be designate their health care without violating 
detrimental, the components. HIPAA because 
department of corrections such disclosure 
may recommend parole Health Care Component relates to the 
to the board of probation | §164.504(b) administration of the 
and parole or a e HIPAA only applies to the correctional system 
commutation of sentence health care component of and not to its 
to the governor. a hybrid entity. function as a health 
care provider. 
DOC: Access to Inmate Hybrid Entity No State e DOC may disclose 
Records by Board of §164.504(a) PHI to the Board of 
Probation and Parole e A hybrid entity is a type Probation and Parole 
§217.270 of covered entity that has under state law 
e The Board of Probation covered and non-covered without violating 
and Parole shall have functions. Such entities HIPAA because 
access to inmate records have the obligation to such disclosure 
deemed pertinent by the designate their health care relates to the 
board in determining components. administration of the 
whether an inmate should correctional system 
be paroled. Health Care Component and not to its 
§164.504(b) function as a health 
e HIPAA only applies to the care provider. 
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health care component of 
a hybrid entity. 
As Required by Law 
§164.512(a) 
e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
DOC: Classification of TPO Yes HIPAA e Because the 
Inmates §164.506 disclosure of PHI by 
§217.335 e CEs may use and disclose CEs that are direct 
e Information from the PHI for treatment, treatment providers 
department of payment and health care for TPO under 
corrections’ reception operations. HIPAA requires 
and diagnostic center is compliance with the 
provided to a Notice of Privacy Practices requirements for the 
classification team for §164.520(c) HIPAA NPP 
determining appropriate |e CEs that are direct acknowledgment, 
custodial care and treatment providers must HIPAA is more 
treatment. provide the NPP to their stringent than state 
patients and attempt to law. 
obtain a written e Asa direct treatment 
acknowledgment of provider, DOC may 
receipt of the NPP. disclose PHI under 
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state law for 
diagnostic and 
treatment purposes 
only if it complies 
with the more 
stringent 
requirements for the 
HIPAA NPP 
acknowledgment. 
DOC: Contracts with Business Associate Yes HIPAA e Since DOC is a CE, 
Residential Treatment §160.103 delegation of its 
Centers e The definition of business covered function as 
§217.430 associate includes entities a health care 
e DOC may contract with that perform a function or provider must follow 
private or public activity on behalf of a applicable HIPAA 
organizations to establish covered entity involving business associate 
residential treatment the use or disclosure of requirements. 
facilities and other individually identifiable e Though state law 
community-based health information. would not require 
programs where compliance with BA 
individuals in the custody requirements, 
of the DOC may be HIPAA is more 
housed and supervised stringent and must 
outside of regularly be followed. 
established correctional 
centers. 
DOC: Interstate Business Associate Yes HIPAA e Since DOC isaCE, | ¢ None 
Corrections Compact §160.103 delegation of its 
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§217.535 e The definition of business function as a 
e DOC may contract with associate includes entities correctional 
other states to provide that perform a function or institution, which 
custodial care on behalf activity on behalf of a includes its covered 
of Missouri (which may covered entity involving function as a health 
include the provision of the use or disclosure of care provider, must 
medical services). The individually identifiable follow applicable 
statute also provides for health information. HIPAA BA 
access to records of such requirements. 
custodial care. e Though state law 
would not require 
compliance with BA 
requirements, 
HIPAA is more 
stringent and must 
be followed. 
DOC: Postconviction Drug | As Required by Law No State e DOC may provide 
Treatment Program §164.512(a) PHI to the court 
§217.785 e CEs may use or disclose without violating 
e DOC shall establish a PHI without giving the HIPAA because it is 
postconviction drug individual the opportunity required by law. 
treatment program and to agree or object and 
shall submit reports to without an authorization if 
the applicable court it is required by law and is 
outlining the limited to the 
performance of the requirements of such law. 
inmates in the program. 
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Jails: Medical Treatment Covered Entity No State The county jail is a 
for Prisoners §160.103 health care provider 
§221.120 e A covered entity includes to the extent it is 
e Jailer of a county jail health care providers that required to provide 
must procure necessary transmit health health care to its 
or proper medical information in electronic prisoners. 
treatment for prisoners. form in connection with a If the jail engages in 
e Insome cases the county transaction covered by covered transactions, 
commission may HIPAA. it would be a hybrid 
authorize payment for CE under HIPAA 
such care or employ a Hybrid Entity because it would 
physician to provide such | §164.504(a) have covered and 
care. e A hybrid entity is a type non-covered 
of covered entity that has functions. 
covered and non-covered Though the county 
functions. Such entities commission may 
have the obligation to pay for some of the 
designate their health care health care, it would 
components. not be considered a 
CE, 
Health Care Component 
§164.504(b) 
e HIPAA only applies to the 
health care component of 
a hybrid entity. 
Jails: Contagious Disease As Required by Law No State To the extent 
of County Prisoners §164.512(a) physicians are 
§221.130 e CEs may use or disclose required to report to 
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e@ When a physician PHI without giving the the commission, 
employed by the county individual the opportunity they may do so 
commission determines to agree or object and without violating 
that a prisoner has a without an authorization if HIPAA because it is 
contagious disease, the it is required by law and is required by state 
physician shall notify the limited to the law. 
commission, which may requirements of such law. e To the extent the 
then order the sheriff or commission 1s 
marshal to place the permitted to disclose 
prisoner in another PHI to the sheriff or 
location until infectious marshal for the 
risk is gone. purpose of 

relocating the 
infectious prisoner, 
itis not a CE and 
may do so without 
violating HIPAA. 

Jails: Use of Jails in Other | Business Associate No State If the county jail is a 

Counties §160.103 CE, it may delegate its 

§221.230 e Definition of business function as a jail, 

e Acounty jail that is associate includes entities including its covered 
insufficient to commit a that perform a function or function as a health care 
county prisoner in its activity on behalf of a provider, without 
custody may send the covered entity involving violating HIPAA as long 
prisoner to the nearest the use or disclosure of as it follows the more 
jail of another county. individually identifiable stringent HIPAA 

e The other county is then health information. requirements regarding 
responsible for BAs. 
safekeeping the prisoner. 

109 


1664508.6 
*This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal 
and enforceable in accordance with the law per RSMo. §432.230. 








Missouri Statute 


Workers’ Compensation 
§§287.140; 287.210; 
287.240; 287.350; 287.380; 
287.420; 287.460; 287.560; 
287.894; 287.937 

8 CSR 20-3.010, et seq. 

8 CSR 50-5.010, et seq. 

e Provide for use and 
disclosure of medical 
information for workers’ 
compensation purposes. 








HIPAA Privacy Regulations 


Workers’ Compensation 

§164.512(1) 

e CE may disclose PHI in 
accordance with workers’ 
compensation laws. 


As Required by Law 
§164.512(a) 

e CEs may use or disclose 
PHI without giving the 
individual the 
opportunity to agree or 
object and without an 
authorization if it is 
required by law and is 
limited to the 
requirements of such law. 





Con- 
flict? 


No 





State Law 
or HIPAA? 


State 





Discussion and 
Conclusion 


e CEs may disclose 
PHI in connection 
with a workers’ 
compensation claim 
under Chapter 287, 
RSMo without 
violating HIPAA 
because such 
disclosure is 
permitted under 
HIPAA. 





Implications for 
Electronic HIE 
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Reporting of Occupational | Preemption Exception No State e Physicians may 
Diseases §160.203(c) report occupational 
§§292.340 and 292.350 e Generally, HIPAA diseases to DHSS 
§292.340 preempts contrary state without violating 
e Any physician who laws. HIPAA because 

performs an examination | @e One exception to that rule such reports are 

of an employee pursuant is when the state law exempted from 

to §292.330, RSMo shall provides for the reporting preemption and their 

report occupational of disease or injury, child disclosure is 
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diseases to DHSS. 
§292.350 
e DHSS then is required to 
report back to the 
employer. 





Chemical Tests: Implied 
Consent of Commercial 











abuse, birth or death, or 
for the conduct of public 
health surveillance, 
investigation or 
intervention. 


As Required by Law 

§164.512(a) 

e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 


Public Health Activities 

§164.512(b)(1)() 

e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 


As Required by Law 
§164.512(a) 














State 








required by law and 
is a permissible 
public health 
activity. 

e DHSS may report 
back to the employer 
without violating 
HIPAA because it is 
required by law. 


e Though the 
authorization of the 
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Drivers e CEs may use or disclose law enforcement 
§302.745 PHI without giving the officer to request the 
e Any person who drives a individual the opportunity results of the tests or 
commercial motor to agree or object and the blood specimen 
vehicle within the state is without an authorization if itself is implied in 
deemed to have it is required by law and is the law, it is 
consented to chemical limited to the nevertheless a 
tests of breath, blood, requirements of such law. requirement of the 
saliva or urine to law. 
determine the level or e Thus, a CE may 
presence of alcohol or disclose, without 
controlled substances in violating HIPAA, 
his or her system. the results of the 
e Tests may be chemical tests or the 
administered at the blood specimen to 
direction of a law the law enforcement 
enforcement officer who officer requesting 
has reason to believe that the test. 
the driver was driving 
with alcohol or 
controlled substances in 
his or her system. 
e NOTE: The statute does 
not expressly permit a 
CE to give the results of 
chemical tests or the 
blood specimen to the 
law enforcement officer. 
However, it seems to be 
implied in the statute as 
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well as in State v. 
Copeland, 680 S.W.2d 
327, 330 (Mo.App., S.D. 
1984), a case involving a 
similar statute related to 
operating a motor vehicle 
while under the influence 
of alcohol or drugs. 

e Also, §302.520, RSMo 
indicates the procedure to 
be followed when the 
results of the chemical 
tests are available to the 
officer while the arrested 
person is still in custody. 
This presupposes the fact 
that the officer has access 
to the test results. 























1664508.6 


*This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal 


and enforceable in accordance with the law per RSMo. §432.230. 


Chemical Tests: Operating | As Required by Law No State e Though the 
Watercraft or Waterborne | §164.512(a) authorization of the 
Devices Under the e CEs may use or disclose law enforcement 
Influence PHI without giving the officer to request the 
§§306.114 and 306.116 individual the opportunity results of the tests or 
e Allows chemical tests of to agree or object and the blood specimen 

a person’s breath, blood, without an authorization if itself is implied in 

or saliva to determine the it is required by law and is the law, it is 

alcohol content of the limited to the nevertheless a 

blood at the direction of a requirements of such law. requirement of the 
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law enforcement officer. law. 

NOTE: The statute does e Thus, a CE may 

not expressly permit a disclose, without 
CE to give the results of violating HIPAA, 
chemical tests or the the results of the 
blood specimen to the chemical tests or the 
law enforcement officer. blood specimen to 
However, it seems to be the law enforcement 
implied in the statute as officer requesting 
well as in State v. the test. 

Copeland, 680 S.W.2d 
327, 330 (Mo.App., S.D. 
1984), a case involving a 
similar statute related to 
operating a motor vehicle 
while under the influence 
of alcohol or drugs. 

Also, §302.520, RSMo 
indicates the procedure to 
be followed when the 
results of the chemical 
tests are available to the 
officer while the arrested 
person is still in custody. 
This presupposes the fact 
that the officer has access 
to the test results. 
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Licensure: Clinical Health Oversight Activities No State As part of a state 
Perfusionists §164.512(d) licensing 
§§324.165 and 334.127 e CEs may disclose PHI to investigation, 
20 CSR 2150-8.130 health oversight agencies licensees may 
for oversight activities disclose PHI to the 
e §324.165 and authorized by law, Board of 
20 CSR 2150-8.130 including audits, Registration for the 
Authorizes investigation investigations, Healing Arts without 
by the Board of inspections, licensure etc. violating HIPAA 
Registration for the because it is a 
Healing Arts of permissible health 
complaints relating to oversight activity. 
licensure violations of 
clinical perfusionists. 
e@ §334.127 The State 
Board of Registration for 
the Healing Arts may 
investigate, issue 
subpoenas and require 
production of documents. 
Licensure: Dieticians Health Oversight Activities No State Though the State 
§324.217 §164.512(d) Committee of 
20 CSR 2115-1.030 e CEs may disclose PHI to Dieticians is not 
e The Division of health oversight agencies expressly given the 
Professional Registration for oversight activities authority to 
in coordination with the authorized by law, investigate the 
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State Committee of including audits, records of the 

Dieticians may pursue a investigations, licensed dieticians, it 

complaint against a inspections, licensure etc. is implied from the 

licensed dietician in the fact that they may 

administrative hearing pursue a complaint 

commission. against the 
dieticians. 

e As part of a 
licensure 
investigation, 
licensees may 
disclose PHI to the 
Division of 
Professional 
Registration or the 
State Committee of 
Dieticians without 
violating HIPAA 
because it is a 
permissible health 
oversight activity. 


























Licensure: Massage Health Oversight Activities No State e As part of a 
Therapists §164.512(d) licensure 
§§324.250 and 324.255 e CEs may disclose PHI to investigation, 
20 CSR 2197-6.020 health oversight agencies licensees may 
for oversight activities disclose PHI to the 

§324.250 authorized by law, Division of 
e Requires a survey including audits, Professional 

inspection for the investigations, Registration or 
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renewal of a business inspections, licensure etc. Board of 
license for massage Therapeutic 
therapy. As Required by Law Massage without 
§164.512(a) violating HIPAA 
§324.255 e CEs may use or disclose because it is a 
e Authorizes other survey PHI without giving the permissible health 
inspections during individual the opportunity oversight activity. 
normal business hours. to agree or object and 
without an authorization if 
20 CSR 2197-6.020 it is required by law and is 
e Authorizes the Division limited to the 
of Professional requirements of such law. 
Registration/Board of 
Therapeutic Massage to 
investigate licensure 
complaints. 
Licensure: Acupuncturists | Health Oversight Activities No State e As part of a 
§§324.481 and 324.499 §164.512(d) licensure 
20 CSR 2015-1.010 e CEs may disclose PHI to investigation, 
health oversight agencies licensees may 
§324.481 for oversight activities disclose PHI to the 
e The State Board of authorized by law, Division of 
Chiropractic Examiners including audits, Professional 
has the authority to issue investigations, Registration, the 
subpoenas to compel inspections, licensure etc. State Board of 
witnesses to testify or Chiropractic 
produce evidence in Examiners and the 
proceedings to deny, Missouri 
suspend or revoke Acupuncturist 
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licensure. Advisory Committee 
without violating 

§324.499 and 20 CSR 2015- HIPAA because it is 

1.010 a permissible health 

e The Division of oversight activity. 
Professional Registration, 
the State Board of 
Chiropractic Examiners 
and the Missouri 
Acupuncturist Advisory 
Committee have the 
authority to investigate 
alleged licensure 
violations. 

Licensure: Podiatrists Health Oversight Activities No State e As part of a 

§330.190 §164.512(d) licensure 

20 CSR 2230-2.041 e CEs may disclose PHI to investigation, 

e Authorizes the Board of health oversight agencies licensees may 
Podiatric Medicine to for oversight activities disclose PHI to the 
investigate complaints authorized by law, Board of Podiatric 
against podiatrists. including audits, Medicine without 

investigations, violating HIPAA 

inspections, licensure etc. because it is a 
permissible health 
oversight activity. 

Licensure: Chiropractors Health Oversight Activities No State e As part of a 

§331.060 §164.512(d) licensure 

20 CSR 2070-2.065 e CEs may disclose PHI to investigation, 
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e The Missouri State Board health oversight agencies licensees may 
of Chiropractic for oversight activities disclose PHI to the 
Examiners may authorized by law, Missouri State 
investigate complaints including audits, Board of 
and pursue them with the investigations, Chiropractic 
Administrative Hearing inspections, licensure etc. Examiners without 
Commission. violating HIPAA 
because it is a 
permissible health 
oversight activity. 
Licensure: Dentists, Dental | Health Oversight Activities No State e As part of a 
Assistants and Dental §164.512(d) licensure 
Hygienists e CEs may disclose PHI to investigation, 
§332.051 health oversight agencies licensees may 
20 CSR 2110-2.200 and for oversight activities disclose PHI to the 
20 CSR 2110-2.210 authorized by law, Dental Board 
including audits, without violating 
§332.051 and 20 CSR 2110- investigations, HIPAA because it is 
2.200 inspections, licensure etc. a permissible health 
e Dental Board has the oversight activity. 
authority to investigate Preemption Exception e Licensed dentists 
complaints against its §160.203(c) may disclose PHI to 
licensees. e Generally, HIPAA the Dental Board as 
preempts contrary state part of this 
20 CSR 2110-2.210 laws. mandatory reporting 
e Requires dentists to e@ One exception to that rule requirement because 
report to the Dental is when the state law such reports are 
Board any mortality or provides for the reporting exempted from 
incident requiring of disease or injury, child preemption and their 
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hospitalization of a 
patient caused by or 
occurring during the 
administration of various 
forms of anesthesia or 
sedatives. 


Licensure: Physicians, 
Surgeons and Midwives 








abuse, birth or death, or 
for the conduct of public 
health surveillance, 
investigation or 
intervention. 


As Required by Law 

§164.512(a) 

e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 


Public Health Activities 

§164.512(b)(1)() 

e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 


Health Oversight Activities 
§164.512(d) 











disclosure is 
required by law and 
is a permissible 
public health 
activity. 


e As part of a state 
licensing 
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§§334.021, 334.260, 334.127 | e CEs may disclose PHI to investigation, 
and 334.100 health oversight agencies licensees may 
for oversight activities disclose patient 
§334.021 authorized by law, information to the 
e The State Board of including audits, Board of 
Registration for the investigations, Registration for the 
Healing Arts licenses inspections, licensure etc. Healing Arts, even if 
physicians and surgeons. it is otherwise 
As Required by Law privileged under 
§334.260 §164.512(a) state law, without 
e Midwives licensed on e CEs may use or disclose violating HIPAA 
August 29, 1959 are PHI without giving the because it is a 
subject to the authority of individual the opportunity permissible health 
the State Board of to agree or object and oversight activity. 
Registration for the without an authorization if In any investigation, 
Healing Arts. it is required by law and is hearing or 
limited to the proceeding to 
§334.127 requirements of such law. determine the fitness 
e The State Board of of a licensee or 
Registration for the applicant to practice, 
Healing Arts may CEs must disclose 
investigate, issue requested PHI to the 
subpoenas and require Board of 
production of documents. Registration for the 
Healing Arts during 
§334.100 an investigation of a 
e In any investigation, licensee or applicant 
hearing or other because this 
proceeding to determine provision of 
the fitness of a licensee Missouri law 
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or applicant to practice, overrides state 
patient records are statutory and 
discoverable and common law 
admissible into evidence, privileges. 
regardless of any 
statutory or common law 
privilege. 
Reporting of Intoxication Preemption Exception No State e CEs may report 
to Law Enforcement §160.203(c) intoxicated persons 
§334.265 e Generally, HIPAA pursuant to state 
e Any physician who treats preempts contrary state law, including PHI, 
a person who appears laws. without violating 
intoxicated for injuries e@ One exception to that rule HIPAA because 
sustained in a motor is when the state law such reports are 
vehicle accident may provides for the reporting exempted from 
immediately report it to of disease or injury, child preemption. 
the highway patrol/local abuse, birth or death, or 
law enforcement agency. for the conduct of public 
health surveillance, 
investigation or 
intervention. 
Licensure: Physical Health Oversight Activities No State e As part of a state 
Therapists and Physical §164.512(d) licensing 
Therapist Assistants e CEs may disclose PHI to investigation, 
§§334.520, 334.127 and health oversight agencies licensees may 
334.100 for oversight activities disclose PHI to the 
authorized by law, Board of 
§334.520 including audits, Registration for the 
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e The Board of investigations, Healing Arts without 
Registration for the inspections, licensure etc. violating HIPAA 
Healing Arts is because it is a 
responsible for licensing | As Required by Law permissible health 
physical therapists and §164.512(a) oversight activity. 
physical therapist e CEs may use or disclose e In any investigation, 
assistants. PHI without giving the hearing or 
individual the opportunity proceeding to 
§334.127 to agree or object and determine the fitness 
e The Board has authority without an authorization if of a licensee or 
to investigate, issue it is required by law and is applicant to practice, 
subpoenas and require limited to the CEs must disclose 
production of documents. requirements of such law. requested PHI to the 
Board of 
§334.100 Registration for the 
e Records relating to such Healing Arts during 
investigation are an investigation of a 
discoverable and licensee or applicant 
admissible into evidence, because this 
regardless of any provision of 
statutory or common law Missouri law 
privilege. overrides state 
statutory and 
common law 
privileges. 
Licensure: Athletic Health Oversight Activities No State e As part of a state 
Trainers §164.512(d) licensing 
§§334.706, 334.127 and e CEs may disclose PHI to investigation, 
334.100 health oversight agencies licensees may 
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for oversight activities disclose PHI to the 
§334.706 authorized by law, Board of 
e The Board of including audits, Registration for the 
Registration for the investigations, Healing Arts, even if 
Healing Arts, which is inspections, licensure etc. it is otherwise 
responsible for privileged under 
registering athletic As Required by Law state law, without 
trainers, may issue §164.512(a) violating HIPAA 
subpoenas to compel e CEs may use or disclose because it is a 
witnesses to testify or PHI without giving the permissible health 
produce evidence in individual the opportunity oversight activity. 
proceedings relating to to agree or object and e In any investigation/ 
an athletic trainer’s without an authorization if hearing/proceeding 
registration. it is required by law and is to determine the 
limited to the fitness of a licensee 
§334.127 requirements of such law. or applicant to 
e The Board generally has practice, CEs must 
authority to investigate, disclose requested 
issue subpoenas and PHI to the Board of 
require production of Registration for the 
documents. Healing Arts during 
an investigation of a 
§334.100 licensee or applicant 
Records relating to such because this 
investigation are provision of 
discoverable and admissible Missouri law 
into evidence, regardless of overrides state 
any statutory or common law statutory and 
privilege. common law 
privileges. 
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Licensure: Physician Health Oversight Activities No State e As part of a state 
Assistants §164.512(d) licensing 
§§334.735, 334.127 and e CE may disclose PHI to investigation, 
334.100 public health oversight licensees may 
agency for oversight disclose PHI to the 
§334.735 activities authorized by Board of 
e The Board of law, including audits, Registration for the 
Registration for the investigations, Healing Arts without 
Healing Arts is inspections, licensure etc. violating HIPAA 
responsible for licensing because it is a 
physician assistants. As Required by Law permissible health 
§164.512(a) oversight activity. 
§334.127 e CEs may use or disclose e In any investigation, 
e The Board has authority PHI without giving the hearing or 
to investigate, issue individual the opportunity proceeding to 
subpoenas and require to agree or object and determine the fitness 
production of documents. without an authorization if of a licensee or 
it is required by law and is applicant to practice, 
§334.100 limited to the CEs must disclose 
e Records relating to such requirements of such law. requested PHI to the 
investigation are Board of 
discoverable and Registration for the 
admissible into evidence, Healing Arts during 
regardless of any an investigation of a 
statutory or common law licensee or applicant 
privilege. because this 
provision of 
Missouri law 
overrides state 
statutory and 
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common law 
privileges. 

Licensure: Respiratory Health Oversight Activities No State e As part of a 

Care Therapists §164.512(d) licensure 

§334.910 e CEs may disclose PHI to investigation, 

e The Missouri Board for health oversight agencies licensees may 
Respiratory Care within for oversight activities disclose PHI to the 
the Division of authorized by law, Division of 
Professional Registration including audits, Professional 
shall investigate all investigations, Registration or the 
licensure complaints inspections, licensure etc. Missouri Board of 
related to respiratory care Respiratory Care 
therapists and is As Required by Law without violating 
authorized to issue §164.512(a) HIPAA because it is 
subpoenas to obtain e CEs may use or disclose a permissible health 
records and information. PHI without giving the oversight activity. 


individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 


























Licensure: Nurses Health Oversight Activities No State e As part ofa 
§335.097 §164.512(d) licensure 
e The Board of Nursing e CEs may disclose PHI to investigation, 
may investigate licensing health oversight agencies licensees may 
violations and issue for oversight activities disclose privileged 
subpoenas to obtain authorized by law, information to the 
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documents and records. including audits, Board of Nursing 

e Such subpoenas may be investigations, without violating 
enforced in circuit court. inspections, licensure etc. HIPAA because it is 

a permissible health 
oversight activity. 

Licensure: Optometrists Health Oversight Activities No State e As part of a 

§336.150 §164.512(d) licensure 

20 CSR 2210-2.040 e CEs may disclose PHI to investigation, 

e The State Board of health oversight agencies licensees may 
Optometry may for oversight activities disclose PHI to the 
investigate licensure authorized by law, State Board of 
complaints against including audits, Optometry without 
optometrists. investigations, violating HIPAA 

inspections, licensure etc. because it is a 
permissible health 
oversight activity. 

Licensure: Psychologists Health Oversight Activities No State e As part of a 

§ 337.065 §164.512(d) licensure 

20 CSR 2235-4.030 e CEs may disclose PHI to investigation, 

e State Committee of health oversight agencies licensees may 
Psychologists may for oversight activities disclose PHI to the 
investigate licensure authorized by law, State Committee of 
violations. including audits, Psychologists 

investigations, without violating 
inspections, licensure etc. HIPAA because it is 
a permissible health 
oversight activity. 
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Licensure: Professional Health Oversight Activities No State e As part of a 

Counselors §164.512(d) licensure 

§337.520 e CEs may disclose PHI to investigation, 

e The Division of health oversight agencies licensees may 
Professional Registration for oversight activities disclose PHI to the 
within the Department of authorized by law, Division of 
Economic Development including audits, Professional 
may establish procedures investigations, Registration without 
for investigating inspections, licensure etc. violating HIPAA 
licensure violations. because it is a 

permissible health 

20 CSR 2095-1.050 oversight activity. 

e Investigation of 
complaints. 

Licensure: Social Workers | Health Oversight Activities No State e As part of a 

§337.627 §164.512(d) licensure 

20 CSR 2263-1.025 e CEs may disclose PHI to investigation, 

e The regulation creates a health oversight agencies licensees may 
process for the State for oversight activities disclose PHI to the 
Committee for Social authorized by law, State Committee for 
Workers to receive including audits, Social Workers 
licensure complaints. investigations, without violating 
The regulation is not inspections, licensure etc. HIPAA because it is 
clear as to the a permissible health 
Committee’s oversight activity. 
investigatory powers but 
the Committee is given 
the authority to 
investigate in §337.627, 
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RSMo. The Committee 
may also file a complaint 
with the administrative 
hearing commission 
under §337.630, RSMo. 

Licensure: Marital and Health Oversight Activities No State e As part of a 

Family Therapists §164.512(d) licensure 

§337.727 e CEs may disclose PHI to investigation, 

20 CSR 2233-1.030 health oversight agencies licensees may 

e The regulation creates a for oversight activities disclose PHI to the 
process for the Division authorized by law, Division of 
of Professional including audits, Professional 
Registration to receive investigations, Registration or the 
licensure complaints in inspections, licensure etc. State Committee of 
coordination with the Marital and Family 
State Committee of Therapists without 
Marital and Family violating HIPAA 
Therapists. The because it is a 
regulation is not clear as permissible health 
to the Committee’s oversight activity. 
investigatory powers but 
the Division is given the 
authority to investigate in 
§$337.727, RSMo and 
may file a complaint with 
the administrative 
hearing commission 
under §337.730, RSMo. 
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Licensure: Pharmacists 
and Pharmacy Technicians 
§§338.013, 338.020, 
338.095, 338.100, 338.140, 
338.150 and 338.314 
§338.095 TPO Yes HIPAA e Because disclosure 
e Defines prescription drug | §164.506 for treatment 
order and telephone e CEs may use and disclose purposes under 
prescription. PHI for treatment, HIPAA requires 
payment and health care compliance with the 
operations. requirements for the 
HIPAA NPP 
Notice of Privacy Practices acknowledgment, 
§164.520(c) HIPAA is more 
e CEs that are direct stringent than state 
treatment providers must law. 
provide the NPP to their e Thus, CEs may 
patients and attempt to disclose patient 
obtain a written information for the 
acknowledgment of purpose of calling in 
receipt of the NPP. a prescription for a 
patient only if they 
comply with the 
more stringent 
requirements for the 
HIPAA NPP 
acknowledgment. 
e Consent under state 
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law is implied based 
on the patient’s 
request for the 
provider to call in 
the prescription to 
the pharmacy. 
§338.013 Health Oversight Activities No State e As part of a 
e Pharmacy Technicians §164.512(d) licensure 
must be registered by the | e CEs may disclose PHI to investigation, 
Board of Pharmacy. health oversight agencies licensees may 
for oversight activities disclose PHI to the 
§338.020 authorized by law, Board of Pharmacy 
e Pharmacists must be including audits, without violating 
licensed by the Board of investigations, HIPAA because it is 
Pharmacy. inspections, licensure etc. a permissible health 
oversight activity. 
§338.100 As Required by Law 
e Requires that records §164.512(a) 
maintained by a e CEs may use or disclose 
pharmacy be considered PHI without giving the 
confidential but the individual the opportunity 
Board shall have access to agree or object and 
to prescriptions and other without an authorization if 
confidential records. it is required by law and is 
limited to the 
§338.140 requirements of such law. 
e Allows the Board of 
Pharmacy to prosecute 
licensure violations. 
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§§338.150 and 338.314 
e Allows the Board ora 
person authorized by the 
Board to inspect 
pharmacies including 
pharmacies inside long- 
term care facilities. 
Licensure: Nursing Home __| Health Oversight Activities No State e As part of a 
Administrators §164.512(d) licensure 
§344.070 e CEs may disclose PHI to investigation, 
19 CSR 73-1.010 and health oversight agencies licensees may 
19 CSR 73-2.085 for oversight activities disclose PHI to the 
e The Board of Nursing authorized by law, Board of Nursing 
Home Administrators including audits, Home 
may investigate licensure investigations, Administrators 
complaints. inspections, licensure etc. without violating 
HIPAA because it is 
a permissible health 
oversight activity. 
Licensure: Speech Health Oversight Activities No State e As part of a state 
Pathologists and §164.512(d) licensing 
Audiologists e CEs may disclose PHI to investigation, 
§§345.030, 345.080, 334.127 health oversight agencies licensees may 
and 334.100 for oversight activities disclose PHI to the 
20 CSR 2150-4.090 authorized by law, Board of 
including audits, Registration for the 
§345.030 and 345.080 investigations, Healing Arts without 
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e The State Board of inspections, licensure etc. violating HIPAA 
Registration for the because it is a 
Healing Arts and the permissible health 
Advisory Commission oversight activity. 
for Speech-Language e In any investigation, 
Pathologists and hearing or 
Audiologists may proceeding to 
investigate licensure determine the fitness 
complaints. of a licensee or 

applicant to practice, 

§334.127 CEs must disclose 

e The State Board of requested PHI to the 
Registration for the Board of 
Healing Arts may Registration for the 
investigate, issue Healing Arts during 
subpoenas and require an investigation of a 
production of documents. licensee or applicant 

because this 

§334.100 provision of 

e Records relating to such Missouri law 
investigation are overrides state 
discoverable and statutory and 
admissible into evidence, common law 
regardless of any privileges. 
statutory or common law 
privilege. 

20 CSR 2150-4.090 

e Investigation of licensure 
complaints 
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Missouri Statute 


Licensure: Hearing Aid 

Fitters and Dealers 

§346.125 

20 CSR 2165-2.070 

e Missouri Board of 
Examiners for Hearing 
Instrument Specialists 
may investigate 
licensure complaints. 

















HIPAA Privacy Regulations 


Health Oversight Activities 

§164.512(d) 

e CEs may disclose PHI to 
health oversight agencies 
for oversight activities 
authorized by law, 
including audits, 
investigations, 
inspections, licensure etc. 








Con- 
flict? 


No 








State Law 
or HIPAA? 


State 








Discussion and 
Conclusion 


e As part of a 
licensure 
investigation, 
licensees may 
disclose PHI to the 
Missouri Board of 
Examiners for 
Hearing Instrument 
Specialists without 
violating HIPAA 
because it is a 
permissible health 
oversight activity. 








Implications for 
Electronic HIE 





1664508.6 


*This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal 


and enforceable in accordance with the law per RSMo. §432.230. 


Licensure: Health Services | Health Oversight Activities No State e As part of a 

Corporations §164.512(d) licensing 

§§354.190, 354.285 and e CEs may disclose PHI to investigation under 

354.355 health oversight agencies Chapter 354, RSMo, 

for oversight activities licensees and the 

§354.190 authorized by law, companies that 

e The Director of the including audits, manage them may 
Department of Insurance investigations, disclose PHI to the 
has authority to inspections, licensure etc. Department of 
investigate violations of Insurance without 
law pertaining to health | Business Associate violating HIPAA 
services corporations and | §160.103 because it is a 
compel production of e The definition of business permissible health 
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records, books, papers, associate includes entities oversight activity. 
contracts and other that perform a function or e Companies that 
documents. activity on behalf of a manage health 
covered entity involving services corporations 
§§354.285 and 354.355 the use or disclosure of must sign BA 
e The Director has same individually identifiable agreements. 
authority to review health information. e Though such 
records of companies that agreements must 
manage health services Content of BA contract require access by the 
corporations and bring §164.504(e)(2)(i)(H) Secretary, they do 
suit against such e The BA contract must not conflict with a 
corporations based on require the BA to make its state law that 
such review. records related to a CE provides access by 
available to the Secretary the Department of 
of DHHS to determine the Insurance. 
CE’s compliance under 
HIPAA. 
Licensure: Health Health Oversight Activities No State e As part of a 
Maintenance §164.512(d) licensing 
Organizations e CEs may disclose PHI to investigation under 
§§354.465, 354.500 and health oversight agencies Chapter 354, RSMo, 
354.621 for oversight activities licensees may 
e Director of the authorized by law, disclose PHI to the 
Department of Insurance including audits, Department of 
may examine the records investigations, Insurance without 
of HMOs, arrange inspections, licensure etc. violating HIPAA 
meetings with potential because it is a 
violators to ascertain Business Associate permissible health 
facts relating to the §160.103 oversight activity. 
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suspected violation and e The definition of business e Intermediaries who 
examine records of associate includes entities are acting as agents 
intermediaries of HMOs. that perform a function or of HMOs in 
activity on behalf of a transferring enrollee 
covered entity involving information for 
the use or disclosure of payment purposes 
individually identifiable must sign BA 
health information. agreements. 
e Though such 
Content of BA contract agreements must 
§164.504(e)(2)(i)(A) require access by the 
e The BA contract must Secretary, they do 
require the BA to make its not conflict with a 
records related to a CE state law that 
available to the Secretary provides access by 
of DHHS to determine the the Department of 
CE’s compliance under Insurance. 
HIPAA. 
Prepaid Dental Plans Health Oversight Activities No State e As part of an 
§354.717 §164.512(d) examination under 
e The Director of the e CEs may disclose PHI to Chapter 354, RSMo, 
Department of Insurance health oversight agencies CEs may disclose 
or his representative has for oversight activities PHI to the 
the authority to examine authorized by law, Department of 
records of prepaid dental including audits, Insurance without 
plans whenever he deems investigations, violating HIPAA 
it necessary. inspections, licensure etc. because it is a 
permissible health 
oversight activity. 
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Limited Partnerships As Required by Law No State e To the extent CEs 
§359.681 §164.512(a) may be considered 
e The Secretary of State e CEs may use or disclose limited partnerships, 
has the authority to PHI without giving the they may disclose 
examine books and individual the opportunity PHI to the Secretary 
records of limited to agree or object and of State as part of an 
partnerships and it is a without an authorization if examination under 
class B misdemeanor to it is required by law and is Chapter 359, RSMo, 
refuse to produce the limited to the CEs without 
records. requirements of such law. violating HIPAA 
because it is required 
by law. 
Insurance Companies As Required by Law No State e To the extent 
§§374.190, 374.194 374.205, | §164.512(a) insurance companies 
375.037, 375.149, 375.164, e CEs may use or disclose are CEs, they may 
375.231, 375.775, 375.937, PHI without giving the disclose PHI to the 
375.938, 375.940, 375.991, individual the opportunity Department of 
375.992, 375.994, 375.1009, to agree or object and Insurance as part of 
375.1010, 375.1050, without an authorization if an examination 
375.1100, 375.1132, it is required by law and is under Chapter 374, 
375.1156 and 375.1172 limited to the RSMo without 
e The Director of the requirements of such law. violating HIPAA 
Department of Insurance because it is required 
has the authority, under | Health Oversight Activities by law and might be 
various circumstances, to | §164.512(d) considered a 
examine, directly or e CEs may disclose PHI to permissible health 
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indirectly, the books, health oversight agencies oversight activity. 
records and other for oversight activities 
documents of companies authorized by law, 
in the business of including audits, 
insurance and in many investigations, 
instances may issue inspections, licensure etc. 
subpoenas and compel 
production of records. 
Genetic Information: Authorizations Yes State Confidentiality 
Confidentiality and §164.508 and and e Regarding the 
Disclosure e Except as otherwise No HIPAA general provision of 
§375.1309 permitted under HIPAA, a (depends on confidentiality of 
e Genetic information is CE may not use or the situation) genetic information, 
deemed confidential and disclose PHI without an an authorization 
may not be disclosed authorization. under HIPAA is 
unless pursuant to written | e The content of such more stringent than 
authorization of the authorization must comply the requirements for 
patient. with HIPAA standards. a State law 
authorization. 
e If HIPAA would 
require an 
authorization for a 
particular disclosure, 
the authorization 
must follow HIPAA 
requirements and 
state law is 
preempted. 
e If HIPAA would not 
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require an 
authorization, such 
as for TPO, the state 
authorization would 
still be required but 
it would not have to 
comply with the 
authorization content 
requirements under 


HIPAA. 
e Exceptions to the Exceptions 

authorization 

requirement are 

1. Statistical data De-identification of PHI Yes HIPAA e Absent a HIPAA- 
compiled without §164.514 compliant 
reference to the e Lists all elements of PHI authorization, 
identity of an that must be eliminated in statistical data may 
individual. order to de-identify the not be disclosed 

PHI. under HIPAA unless 


it is de-identified or 
is otherwise 
permitted under 


HIPAA. 

2. Health research in Research Yes State e The state law 
accordance with the §164.512(i) and and research exception 
federal “common e CEs may use and disclose No HIPAA has two components: 
rule” or health PHI for research purposes Research in 
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research using if meet certain accordance with the 
medical archives or requirements. federal “common 
databases in which rule” and research 
identity is removed or | De-identification of PHI using archives or 
encrypted. §164.514 databases. In either 
e Lists all elements of PHI event, research 
that must be eliminated in permitted under state 
order to de-identify the law would require 
PHI. compliance under 
HIPAA research 
provisions or de- 
identification of 
data. 

e Because the research 
requirements under 
state law and 
HIPAA are difficult 
to integrate, CEs 
should ensure that 
they meet the 
research 
requirements of both 
state law and 
HIPAA. 

3. Release of Judicial and Administrative Yes State e In order to release 
information pursuant | Proceedings PHI pursuant to 
to legal or regulatory | §164.512(e)(1)() Missouri legal and 
process. e CEs may disclose PHI in regulatory process, a 
the course of any judicial court or 
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or administrative administrative order 
proceeding in response to is generally required. 
an order by the court or See Ingram v. 
administrative tribunal or, Mutual of Omaha, 
if certain circumstances 170 F.Supp.2d 907 
are met, in response to a (W.D.Mo. 2001) 
subpoena, discovery (Health care centers, 
request or other lawful hospitals and 
process. insurers must assert 
the fiduciary duty of 
confidentiality on 
behalf of the patient, 
even if PHI is 
requested by 
subpoena). 


e Because state law 
requires a court or 
administrative order 
for disclosure 
pursuant to legal 
process, it is more 
stringent than 
HIPAA provisions 
regarding legal 
process. 

e Thus, CEs may only 
disclose genetic 
information without 
an authorization 
under this Missouri 
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statutory exception 
if there is a court or 
administrative order. 
4. Release of Coroners and Medical No State e CEs may disclose 


information for body 
identification. 





Examiners 

§164.512(g) 

e CEs may disclose PHI to 
the coroner or medical 
examiner for purposes of 
identifying the deceased 
and the cause of death. 

e CEs may use PHI for the 
same purposes if they are 
acting as the coroner or 
medical examiner in a 
given situation. 











genetic information 
to the coroner and 
medical examiner or 
may use the 
information 
themselves for 
purposes of 
identification of the 
body. 








Health Carrier Utilization | TPO Yes State e Utilization review is 

Review §164.506 and part of the health 

§376.1356 e CEs may use and disclose HIPAA care operations of 

e As part of the duty to PHI for treatment, the health carrier and 
have procedures for payment and health care is thus permissible 
utilization review, health operations. under HIPAA. 
carriers may delegate e The state law and 
such duty to utilization Business Associate HIPAA 
organizations if they §160.103 requirements for 
maintain adequate e The definition of business delegation of the 
oversight, including associate includes entities utilization review 
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maintaining a written 
description of the 
organization’s activities 
and responsibilities, 
evidence of formal 
approval of the 
organization’s program 
by the health carrier and 
a process for evaluating 
the organization’s 
performance. 





Durable Power of Attorney 

for Health Care 

§404.840 

e An attorney-in-fact 
designated in a durable 
power of attorney for 
health care has the same 
right of access as the 
patient to the patient’s 
medical records. 





Hospital Liens: Notice 
§430.240 





that perform a function or 
activity on behalf of a 
covered entity involving 
the use or disclosure of 
individually identifiable 
health information. 


BA Contracts 

§164.504(e) 

e Lists the required content 
of business associate 
contracts and 


arrangements. 


Personal Representatives: 
Adults and Emancipated 
Minors 

§164.5502(g)(2) 

e CEs may disclose PHI to a 
person who has authority 
to act on behalf of an adult 
or emancipated minor in 
making decisions related 
to health care. 


As Required by Law 
§164.512(a) 





No 





State 


State 





function are very 
different and are not 
easily integrated. 
Thus, health carriers 
should comply with 
both state law and 
HIPAA. 


e CEs may disclose 
PHI to attorneys-in- 
fact under state law 
without violating 
HIPAA because 
such individuals are 
considered personal 
representatives 
under HIPAA. 


e State law requires 
consent of the 
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Minors’ Medical Records 
§§431.06land 431.062 


§431.061 

e Minors generally may 
not consent to medical 
treatment for themselves 
without further consent 
from a parent, guardian 











it is required by law and is 
limited to the 
requirements of such law. 


Personal Representatives: 
Unemancipated Minors 
§164.502(g)(3)(i) 

e CEs may disclose PHI to 
an individual’s parent, 
guardian or person acting 
in loco parentis who has 
authority to act on behalf 
of an unemancipated 














State and 
HIPAA 
(depending 
on situation) 








e Once the patient 
consents under state 
law to disclosure of 
PHI for payment 
purposes, CEs may 
disclose PHI for 
payment purposes 
under the hospital 
lien statute without 
violating HIPAA 
because such 
disclosure is 
required by law. 


e To the extent minors 
are authorized under 
state law to consent 
to medical treatment 
on their own behalf, 
CEs are generally 
prohibited under 
HIPAA from 
disclosing their 
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e Fora lien to be effective, | e CEs may use or disclose patient to disclose 
the hospital must provide PHI without giving the privileged patient 
to the party alleged to be individual the opportunity information for 
liable a notice containing to agree or object and purposes of 
certain PHI. without an authorization if payment. 
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or person acting in loco minor in making decisions medical information 
parentis EXCEPT minors related to health care. to parents, guardians 
may consent on their own | ¢ EXCEPTION: The parent, or persons acting in 
behalf for treatment for guardian or person acting loco parentis. 
pregnancy, venereal in loco parentis is not the e However, to the 
disease and substance personal representative of extent physicians 
abuse or for any purpose an unemancipated minor and surgeons may 
if they have been and may not access the disclose PHI of a 
lawfully married or are a minor’s PHI if the minor minor pursuant to 
parent or legal custodian consents to a particular §431.062, RSMo 
of a child. health care service, no they may do so 

other consent is required without violating 

§431.062 by law AND the minor HIPAA because 
e A physician or surgeon does not request the HIPAA defers to 

may disclose, without the person be considered a state law, which 
minor’s consent, the personal representative. permits disclosure in 
minor’s PHI pertaining to this situation. 
examination or treatment | Personal Representatives: 
obtained for pregnancy, | Unemancipated Minors 
venereal disease or §164.502(g)(3)(ii) 
substance abuse unless e Notwithstanding the 
the minor is determined exceptions to the personal 
not to be pregnant or representative rule in 
suffering from venereal § 164.502(g)(3)(i), a CE 
disease or substance may disclose PHI of an 
abuse. unemancipated minor to 

the parent, guardian or 

person acting in loco 

parentis if it is permitted 

or required under state or 
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other law. 


Personal Representatives: 
Adults and Emancipated 
Minors 

§164.5502(g)(2) 

e CEs may disclose PHI to a 
person who has authority 
to act on behalf of an adult 
or emancipated minor in 
making decisions related 
to health care. 




















Abandoned Property As Required by Law No State e Abandoned property 
§447.539 §164.512(a) includes intangible 
e Health care providers are | e CEs may use or disclose property such as 
among those who must PHI without giving the money owed to a 
report abandoned individual the opportunity patient because of 
property to the State to agree or object and insurance 
Treasurer. without an authorization if overpayment. To 
it is required by law and is the extent such 
limited to the property reveals 
requirements of such law. patient information, 
it is PHI. 
Preemption Exception e CEs may report 
§160.203(b) abandoned property 
e Generally, HIPAA to the State 
preempts contrary state Treasurer without 
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laws. violating HIPAA 
e@ One exception to that rule because it is required 
is when the state law is by law. 
more stringent and relates e Though there is no 
to the privacy of conflict between this 
individually identifiable provision of state 
health information. law and HIPAA, it 
probably does not 
Relates to the Privacy of implicate the 
Individually Identifiable preemption issue 
Health Information because does not 
§160.202 have the specific 
e A law relates to the purpose of 
privacy of individually protecting the 
identifiable health privacy of health 
information if it has the information or affect 
specific purpose of the privacy of health 
protecting the privacy of information in a 
health information or direct, clear and 
affects the privacy of substantial way. 
health information in a 
direct, clear and 
substantial way. 
Custodial and Non- Personal Representatives: No State e CEs may disclose 
custodial Parents Unemancipated Minors PHI to custodial and 
§452.375.10 §164.502(¢g)(3)(ii) non-custodial 
e Both custodial and non- |e Notwithstanding the parents pursuant to 
custodial parents shall exceptions to the personal 452.375.10, RSMo 
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have access to the PHI of representative rule in without violating 
their minor children § 164.502(g)(3)(i), a CE HIPAA because 
unless they have been may disclose PHI of an HIPAA defers to 
denied custody or unemancipated minor to state law, which 
visitation rights. the parent, guardian or permits disclosure in 
e However, if the non- person acting in loco this situation. 
custodial parent has parentis if it is permitted 
restricted or supervised or required under state or 
visitation rights due to other law. 
domestic violence, the 
court may order PHI to As Required by Law 
be released without the §164.512(a) 
address of the custodial e CEs may use or disclose 
parent. PHI without giving the 
individual the 
opportunity to agree or 
object and without an 
authorization if it is 
required by law and is 
limited to the 
requirements of such law. 
Custodial Arrangements: As Required by Law Yes State e The investigation 
Investigation §164.512(a); 164.512(a)(2) and and under §452.390, 
§452.390 e CEs may use or disclose No HIPAA RSMo is performed 
e A court may order an PHI without giving the (depends on pursuant to a court 
investigation and report individual the opportunity the situation) order. Though the 
concerning custodial to agree or object and statute permits but 
arrangements for a child. without an authorization if does not require the 
e The investigator may it is required by law and is investigator to 
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obtain medical and limited to the request access to 
psychiatric information requirements of such law. PHI, CEs are 
concerning the child e CEs must meet additional required to disclose 
without obtaining requirements for it upon such request. 
consent from the parent disclosures for 164.512 e However, if the 
or custodian of the child (c), (e), and (f) child is 16 years or 
but the investigator must older, state law 
obtain the consent of the | Judicial and Administrative requires the child to 
child if the child is at Proceedings consent to disclosure 
least 16 years old, unless | §164.512(e)(1)(i) of their PHI to the 
the court finds the child | e@ CEs may disclose PHI in investigator. 
lacks mental capacity to the course of any judicial e Thus, CEs may 
consent. or administrative disclose PHI for 
proceeding in response to purposes of such 
an order by the court or investigation without 
administrative tribunal. violating HIPAA if 
the child is not yet 
Authorizations 16 years old because 
§164.508 it is required by law. 
e Except as otherwise e Ifthe child is 16 
permitted under HIPAA, a years or older, the 
CE may not use or state statute requires 
disclose PHI without an consent but HIPAA 
authorization. would require an 
e HIPAA has a list of core authorization and 
elements and requirements thus is more 
concerning the content of stringent. In such 
authorizations. circumstances, CEs 
must follow HIPAA 
and may only 
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disclose PHI if they 
obtain the 
authorization of the 
child who is 16 
years or older. 
Personal Representative of | Personal Representatives: No State e CEs may allow a 
an Estate Deceased Individuals personal 
§§473.110, 473.113 and §164.502(g)(4) representative of a 
473.117 e If an executor, deceased individual 
e These statutes list administrator or other to waive the 
individuals who may or person has authority, deceased 
may not be appointed as under applicable law, to individual’s 
personal representatives act on behalf of a privilege and 
of a deceased’s estate if deceased individual, a CE disclose PHI to such 
under various must treat that person as a representative as 
circumstances. personal representative permitted under state 
under HIPAA and allow law without 
e Leritz v. Koehr, 844 access to PHI accordingly. violating HIPAA 
S.W.2d 583 (Mo.App., because such person 
E.D. 1993) (personal is recognized as a 
representative of a personal 
deceased individual may representative under 
waive the deceased’s HIPAA. 
physician-patient 
privilege). 
Po Probate Code-Guardianship 
Guardians: Hearing on Judicial and Administrative No State e Disclosure of report 
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Capacity or Disability Proceedings is consistent with 
§475.075 §164.512(e)(1)(i) HIPAA because 
e Court appointed e CEs may disclose PHI in such report is a 
physician or licensed the course of any judicial result of a court 
psychologist or other or administrative order. 
professional shall submit proceeding in response to 
his report in writing to an order by the court or 
the court and counsel for administrative tribunal. 
all parties. 
As Required by Law 
§164.512(a); 164.512(a)(2) 
e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
e CEs must meet additional 
requirements for 
disclosures for 164.512 
(c), (e), and (f). 
Status Review of Judicial and Administrative No State e Copies of records of 
Guardianship Proceedings a ward in 
§475.082 §164.512(e)(1)(i) guardianship 
e Court may require e CEs may disclose PHI in hearings pursuant to 
hospital, physician, or the course of any judicial a court order is 
custodial facility to or administrative consistent with 
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submit copies of their proceeding in response to HIPAA. 
records relating to the an order by the court or 
treatment, habilitation or administrative tribunal. 
care of the ward. 
Guardians: Powers and Personal Representatives: No State e CEs may disclose 
Duties Unemancipated Minors PHI to guardians of 
§475.120 §164.502(g)(3)(@) incapacitated 
e Guardians of e CEs may disclose PHI to persons as permitted 
incapacitated persons an individual’s parent, under state law 
shall have all powers and guardian or person acting without violating 
duties required to provide in loco parentis who has HIPAA because 
for their ward’s care and authority to act on behalf such guardians, 
treatment. of an unemancipated whether their ward is 
minor in making decisions an adult or a minor, 
related to health care. are recognized as 
personal 
Personal Representatives: representatives 
Adults and Emancipated under HIPAA. 
Minors 
§164.5502(g)(2) 
e CEs may disclose PHI to a 
person who has authority 
to act on behalf of an adult 
or emancipated minor in 
making decisions related 
to health care. 
As Required by Law 
§164.512(a) 
152 
1664508.6 


*This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal 


and enforceable in accordance with the law per RSMo. §432.230. 








Missouri Statute 


HIPAA Privacy Regulations 


Con- 
flict? 


State Law 
or HIPAA? 


Discussion and 
Conclusion 


Implications for 
Electronic HIE 








Physician-Patient Privilege 

§491.060.5 

e Physician cannot testify 
to any information 
acquired from any patient 
while attending to patient 
in a professional 
character and which is 
necessary to enable 
physician to prescribe 
and provide treatment for 
such patient. 

e Common Law: The 
common law privilege is 
based on a fiduciary 
duty’ of confidentiality 











e CEs may use or disclose 
PHI without giving the 
individual the 
opportunity to agree or 
object and without an 
authorization if it is 
required by law and is 
limited to the 
requirements of such law. 


§164.508 Authorizations 

e Except as otherwise 
permitted under HIPAA, a 
CE may not use or 
disclose PHI without an 
authorization. 

e HIPAA has a list of core 
elements and requirements 
concerning the content of 
authorizations. 








Yes 








State 








That statutory and 
common law 
physician-patient 
privilege 
significantly 
restricts the ability 
of such providers 
and entities to 
disclose PHI. 














' Brandt v. Medical Defense Associates, 856 S.W. 2d 667 (Mo. Banc 1993). 
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and is applied to health 
care centers, hospitals 
and insurers.” Because 
the privilege is based on 
the patient’s relationship 
with a physician, it 
extends to records.° 
Peer Review Committees §164.508 Authorizations Yes State e The state peer 
§537.035 e Except as otherwise review privilege 
e Creates peer review permitted under HIPAA, a restricts disclosure 
privilege with respect to CE may not use or of certain 
information created by disclose PHI without an information created 
peer review committees authorization. by peer review 
regarding the care e HIPAA has a list of core committees, which 
provided to a patient. elements and requirements would otherwise be 
concerning the content of a permissible 
authorizations. disclosure with a 
HIPAA-compliant 
authorization. 
Mental Capacity to be As Required by Law No State e CEs may disclose 
Tried or Convicted §164.512(a); 164.512(a)(2) reports of 
§552.020 e CEs may use or disclose psychiatric 
e Under certain PHI without giving the examinations of 
* Ingram v. Mutual of Omaha, 170 F. Supp. 2d 907 (W.D. Mo. 2001). 
> State v. Henderson, 824 S.W. 2d 445 (E.D. Mo. App. 1991). 
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circumstances, the court individual the opportunity accused individuals 
is required to appoint a to agree or object and to the court under 
psychiatrist, psychologist without an authorization if §552.020, RSMo 
or physician with it is required by law and is without violating 
appropriate expertise to limited to the HIPAA because 
examine the accused in a requirements of such law. such disclosure 1s 
criminal case and such e CEs must meet additional pursuant to a court 
order must direct that the requirements for order that is required 
report of the examination disclosures for 164.512 by law. 
be filed with the court. (c), (e), and (f) 
Judicial and Administrative 
Proceedings 
§164.512(e)(1)(i) 
e CEs may disclose PHI in 
the course of any judicial 
or administrative 
proceeding in response to 
an order by the court or 
administrative tribunal or, 
if certain circumstances 
are met, in response to a 
subpoena, discovery 
request or other lawful 
process. 
Not Guilty by Reason of As Required by Law No State e CEs may disclose 
Mental Disease or Defect §164.512(a); 164.512(a)(2_ reports of 
§552.030 e CEs may use or disclose psychiatric 
e Under certain PHI without giving the examinations of 
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circumstances, the court individual the opportunity accused individuals 
is required to appoint a to agree or object and to the court under 
psychiatrist, psychologist without an authorization if §552.030, RSMo 
or physician with it is required by law and is without violating 
appropriate expertise to limited to the HIPAA because 
examine the accused in a requirements of such law. such disclosure is 
criminal case and such e CEs must meet additional pursuant to a court 
order must direct that the requirements for order that is required 
report of the examination disclosures for 164.512 by law. 
be filed with the court. (c), (e), and (f) 
Judicial and Administrative 
Proceedings 
§164.512(e)(1)(i) 
e CEs may disclose PHI in 
the course of any judicial 
or administrative 
proceeding in response to 
an order by the court or 
administrative tribunal or, 
if certain circumstances 
are met, in response to a 
subpoena, discovery 
request or other lawful 
process. 
Criminally Accused 
Individuals: Release after 
Commitment 
§552.040 
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Under certain TPO Yes HIPAA e Because the 
circumstances, the head §164.506 disclosure of PHI by 
of a facility where an e CEs may use and disclose CEs that are direct 
individual is committed PHI for treatment, treatment providers 
may file an application payment and health care for TPO under 
with the court for the operations. HIPAA requires 
release of the individual. compliance with the 
Notice of Privacy Practices requirements for the 
§164.520(c) HIPAA NPP 
e CEs that are direct acknowledgment, 
treatment providers must HIPAA is more 
provide the NPP to their stringent than state 
patients and attempt to law. 
obtain a written 
acknowledgment of e Thus, CEs that are 
receipt of the NPP. direct treatment 
providers may 
disclose PHI to the 
court for a 
determination of 
whether 
discontinuation of 
treatment is 
appropriate only if 
they comply with the 
more stringent 
requirements for the 
HIPAA NPP 
acknowledgment. 
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e If such release of the As Required by Law No State e CEs may disclose 
committed individual §164.512(a); 164.512(a)(2) the results of a 
requires examination of | e@ CEs may use or disclose psychiatric 
the individual by a PHI without giving the examination to the 
psychiatrist, psychologist individual the opportunity court as required by 
or physician with to agree or object and this statute without 
appropriate expertise, the without an authorization if violating HIPAA 
report of such it is required by law and is because it is required 
examination must be limited to the by law. 
filed with the application. requirements of such law. 

e CEs must meet additional 
requirements for 
disclosures for 164.512 
(c), (e), and (f) 

e Insome cases, Law Enforcement Purposes No State e CEs may disclose 
notification of the §164.512(f)(1) PHI to law 
prosecuting attorney or e CEs may disclose PHI for enforcement 
sheriff is required. law enforcement purposes officials such as the 

as required by law. prosecuting attorney 
and sheriff under 
this section because 
it is required by law 
for law enforcement 
purposes. 

e The Department of Serious Threat to Health or No State e DMH may disclose 
Mental Health may Safety such PHI as is 
request a peace officer to | §164.512(j)(1)(ii) necessary to request 
apprehend and return an |e A CE may, consistent the sheriff to 
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individual who has with applicable law and apprehend an 
violated the terms of ethical standards, disclose individual who has 
conditional release. PHI if the CE has a good violated the terms of 
faith belief that such conditional release 
disclosure is necessary for without 
law enforcement authorization 
authorities to identify or because the 
apprehend an individual individual has 
where the individual has effectively escaped 
escaped from a from lawful custody. 
correctional institution or 
other form of lawful 
custody as it is defined 
under §164.501 of 
HIPAA. 
DOC: Transfer of Inmate | TPO Yes HIPAA e This section 
to Mental Hospital §164.506 contemplates one 
§552.050 e CEs may use and disclose CE (DOC) 
e Permits the Department PHI for treatment, disclosing PHI to 
of Corrections to transfer payment and health care another CE (DMH 
an inmate to a mental operations. or a private mental 
hospital if there is reason hospital) in 
to believe the inmate Notice of Privacy Practices connection with the 
needs care in a mental §164.520(c) transfer of a patient 
hospital. e CEs that are direct for treatment 
treatment providers must purposes. 
provide the NPP to their e Because the 
patients and attempt to disclosure of PHI by 
obtain a written CEs that are direct 
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acknowledgment of 
receipt of the NPP 


treatment providers 
for TPO under 
HIPAA requires 
compliance with the 
requirements for the 
HIPAA NPP 
acknowledgment, 
HIPAA is more 
stringent than state 
law. 

Thus, CEs that are 
direct treatment 
providers may 
disclose PHI for 
purposes of 
transferring patients 
only if they comply 
with the more 
stringent 
requirements for the 
HIPAA NPP 
acknowledgment. 








DOC: Mental Disease or 


Defect of Inmate Sentenced 


to Death 

§552.060 

e If the director of DOC 
has reason to believe an 
inmate sentenced to 





As Required by Law 

§164.512(a) 

e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 








State 





As a CE, DOC may 
disclose PHI to the 
individuals listed in 
this provision of 
Missouri law 
without violating 
HIPAA because 
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death has a mental it is required by law and is such disclosure is 
disease or defect that limited to the required by law. 
makes the inmate unfit requirements of such law. 
for execution, the 
director must notify the 
governor, DMH, 
prosecuting attorney, 
Attorney General, and 
the court. 

Presentence Commitment | As Required by Law No State e CEs may disclose 

§557.031 §164.512(a) the results of a 

e As part of the e CEs may use or disclose mental examination 
presentencing process PHI without giving the under this provision 
and investigation, the individual the opportunity of Missouri law 
court may order the to agree or object and without violating 
commitment of a without an authorization if HIPAA because 
criminal defendant for a it is required by law and is such disclosure is 
mental examination limited to the required by law. 
where the court requirements of such law. 
determines the defendant 
is likely to be suffering 
from a mental disease or 
disorder. 

e The results of the 
examination must then be 
provided to the court. 
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Sexual Offenses Judicial and Administrative No State e Tests results 
§566.135 Proceedings obtained and 
e Court may order §164.512(e)(1)(i) released during a 
defendant be tested for e CEs may disclose PHI in judicial proceeding 
HIV, hepatitis B and C, the course of any judicial pursuant to a court 
syphilis, gonorrhea, and or administrative order consistent with 
Chlamydia and the results proceeding in response to HIPAA. 
shall be released to the an order by the court or 
victim, his or her parent administrative tribunal. 
or guardian, prosecuting 
attorney and defense 
attorney. 
Public Health Activities No State e Releasing of court 
§164.512(b)(1)(iv) ordered test results 
e CEs may report PHI to a to a victim of a sex 
person who may have offense is consistent 
been exposed to a with HIPAA 
communicable disease or because the victim 
may be at risk of may have been 
contracting or spreading exposed to a 
the disease if the CE is communicable 
authorized by law to disease or at risk of 
notify such person. spreading the 
disease. 
As Required by Law 
§164.512(a); 164.512(a)(2) 
e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
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to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 

e CEs must meet additional 
requirements for 
disclosures for 164.512 
(c), (e), and (f). 

Chemical Tests: Operating | As Required by Law No State e Though the 

a Motor Vehicle Under the | §164.512(a) authorization of the 

Influence e CEs may use or disclose law enforcement 

§577.020 PHI without giving the officer to request the 

e Any person who operates individual the opportunity results of the tests or 
a motor vehicle on the to agree or object and the blood specimen 
public highways of the without an authorization if itself is implied in 
state is deemed to have it is required by law and is the law, it is 
consented to chemical limited to the nevertheless a 
tests of breath, blood, requirements of such law. requirement of the 
saliva or urine to law. 
determine the alcohol or e Thus, a CE may 
drug content in his or her disclose, without 
blood. violating HIPAA, 

e Tests may be the results of the 
administered at the chemical tests or the 
direction of a law blood specimen to 
enforcement officer the law enforcement 
under certain officer requesting 
circumstances indicating the test. 
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that the driver was 
driving under the 
influence of alcohol. 


NOTE: The statute does 
not expressly permit a 
CE to give the results of 
chemical tests or the 
blood specimen to the 
law enforcement officer. 
However, it seems to be 
implied in the statute as 
well as in State v. 
Copeland, 680 S.W.2d 
327, 330 (Mo.App., S.D. 
1984), a case related to 
operating a motor vehicle 
while under the influence 
of alcohol or drugs. 


Also, §302.520, RSMo 
indicates the procedure to 
be followed when the 
results of the chemical 
tests are available to the 
officer while the arrested 
person is still in custody. 
This presupposes the fact 
that the officer has access 
to the test results. 
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Chemical Tests: Access by | As Required by Law No State e CEs may disclose 
the Individual Tested §164.512(a) the information 
§§577.029 and 577.208 e CEs may use or disclose about the chemical 
e@ Whenever a chemical test PHI without giving the test to the individual 
is performed at the individual the opportunity tested pursuant to 
direction of a law to agree or object and state law without 
enforcement officer, the without an authorization if violating HIPAA 
physician, nurse or it is required by law and is because it is required 
medical technician limited to the by law and such 
performing the test must requirements of such law. access is permitted 
provide complete under HIPAA. 
information concerning Access of Individuals to PHI 
the test to the individual | §164.524 
tested upon his or her e CEs must allow, with 
request. certain limitations, an 
individual to inspect and 
obtain a copy of his or her 
PHI contained in a 
designated record set. 
Chemical Tests: Flight As Required by Law No State e Though the 
Crew Members §164.512(a) authorization of the 
§577.206 e CEs may use or disclose law enforcement 
e Any person who operates PHI without giving the officer to request the 
or acts as a flight crew individual the opportunity results of the tests or 
member of any aircraft in to agree or object and the blood specimen 
this state is deemed to without an authorization if itself is implied in 
have consented to it is required by law and is the law, it is 
chemical tests of breath, limited to the nevertheless a 
blood, saliva or urine to requirements of such law. requirement of the 
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determine the alcohol or law. 

drug content in his or her e Thus, a CE may 
blood. disclose, without 
Tests may be violating HIPAA, 
administered at the the results of the 
direction of a law chemical tests or the 
enforcement officer. blood specimen to 
NOTE: The statute does the law enforcement 
not expressly permit a officer requesting 
CE to give the results of the test. 

chemical tests or the 
blood specimen to the 
law enforcement officer. 
However, it seems to be 
implied in the statute as 
well as in State v. 
Copeland, 680 S.W.2d 
327, 330 (Mo.App., S.D. 
1984), a case involving a 
similar statute related to 
operating a motor vehicle 
while under the influence 
of alcohol or drugs. 

Also, §302.520, RSMo 
indicates the procedure to 
be followed when the 
results of the chemical 
tests are available to the 
officer while the arrested 
person is still in custody. 
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This presupposes the fact 
that the officer has access 
to the test results. 
Chemical Tests: Admission | As Required by Law No State e CEs may disclose 
in Evidence §164.512(a); 164.512(a)(2) the results of blood 
§§577.037 and 577.214 e CEs may use or disclose alcohol tests to the 
e Results of chemical tests PHI without giving the court for admission 
showing the alcohol individual the opportunity into evidence 
content in an individual’s to agree or object and without violating 
blood are admissible in a without an authorization if HIPAA because it is 
trial for certain it is required by law and is required by law and 
delineated crimes, limited to the would be pursuant to 
regardless of the requirements of such law. a court order. 
physician-patient e CEs must meet additional e Though it could be 
privilege in §491.060, requirements for argued that these 
RSMo. disclosures for 164.512 provisions of state 
(c), (e), and (f) law only waive the 
statutory privilege 
Judicial and Administrative and not the common 
Proceedings law privilege, the 
§164.512(e)(1)(i) intent of the statute 
e CEs may disclose PHI in is to allow admission 
the course of any judicial of the evidence. In 
or administrative any event, an order 
proceeding in response to by the court to admit 
an order by the court or the evidence would 
administrative tribunal or, eliminate this 
if certain circumstances concern for CEs. 
are met, in response to a 
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subpoena, discovery 
request or other lawful 
process. 
po Miisceltancous Offenses 
Reporting of Gunshot Preemption Exception No State e CEs may report 
Wounds §160.203(c) gunshot wounds 
§578.350 e Generally, HIPAA pursuant to state law 
e Anyone licensed under preempts contrary state without violating 
Chapters 334 and 335, laws. HIPAA because 
RSMo must report to a e@ One exception to that rule such reports are 
local law enforcement is when the state law exempted from 
official the name and provides for the reporting preemption and their 
address, if known, of any of disease or injury, child disclosure is 
person they treat for a abuse, birth or death, or required by law and 
gunshot wound, the for the conduct of public is a permissible 
nature of the wound, and health surveillance, public health 
the circumstances under investigation or activity. 
which the treatment was intervention. 
rendered. 
As Required by Law 
§164.512(a) 
e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
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Public Health Activities 

§164.512(b)()() 

e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 
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DMH: Audits of Records As Required by Law No State e CEs may disclose 
§630.080 §164.512(a) PHI to the State 
e The State Auditor shall e CEs may use or disclose Auditor pursuant to 
have access to all records PHI without giving the §630.080, RSMo 
maintained and individual the opportunity without violating 
established by DMH. to agree or object and HIPAA because 
e Limits the State Auditor without an authorization if such disclosure is 
from further disclosing it is required by law and is required by law. 
confidential records. limited to the e Further disclosure of 
requirements of such law. PHI by the State 
Auditor pursuant to 
§630.080, RSMo 
without violating 
HIPAA because 
such disclosure is 
required by law. 
e Further disclosure of 
PHI by the State 
Auditor is not 
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governed by HIPAA 
because the auditor 
isnotaCE. It is 
limited by the 
provisions of state 
law. 
Patient Rights: Mental Access of Individuals to Yes State Under state law, 
Health Records PHI: Psychotherapy Notes patients have greater 
§630.110 §164.524 rights of access to 
e Requires a patient to e A patient does not have a their mental health 
have access to his or her right of access to inspect records, including 
own mental and medical and copy psychotherapy psychotherapy notes, 
records maintained by notes. because access can 
certain residential only be limited by 
facilities or day programs | Psychotherapy Notes utilizing the 
and mental health §164.501 therapeutic 
facilities or programs. e Psychotherapy notes are privilege, whereas 
e EXEPTION: Access defined as notes that are under HIPAA, 
may be limited if the recorded in any medium access to 
head of the residential by a health care provider psychotherapy notes 
facility or day program who is a mental health is completely 
determines that access professional documenting prohibited. Because 
would be inconsistent or analyzing the contents it provides greater 
with the person’s of conversations during a access by patients to 
therapeutic care, private, group or family their own records, 
treatment, habilitation or counseling session AND state law is more 
rehabilitation and the that are separated from the stringent than 
safety of other clients and rest of the individual’s HIPAA and must be 
the public. medical record. followed. 
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As Required by Law 
§164.512(a) 
e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
DMH: Records of Certain 
Facilities Operated, 
Funded or Licensed by the 
Department of Mental 
Health 
§630.140 
Confidentiality Uses and Disclosures: No State e Both state law and 
e The general rule is that General Rules HIPAA generally 
records compiled, §164.502 protect medical 
obtained, prepared or e CEs may not use or information at 
maintained by certain disclose PHI except as residential facilities, 
residential facilities, day permitted under HIPAA. day programs and 
programs and mental mental health 
health facilities or facilities or 
programs are programs. 
confidential. 
Required Disclosures As Required by Law No State e CEs may generally 
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The facility or program §164.512(a); 164.512(a)(2) disclose PHI as 

shall disclose e CEs may use or disclose required under this 

information and records PHI without giving the provision of 

to the following upon individual the opportunity Missouri law 

their request. to agree or object and without violating 

without an authorization if HIPAA because 
it is required by law and is such disclosures are 
limited to the required by law. 
requirements of such law. e However, some of 

e CEs must meet additional the required 
requirements for disclosures are 
disclosures for 164.512 preempted by 
(c), (e), and (f) HIPAA as described 

below. 

1. The parent of a minor | Personal Representatives: No State e CEs may disclose 
patient, resident or Unemancipated Minors information and 
client. §164.502(¢)(3)(i) records to the parent 

2. The guardian or CEs may disclose PHI to an of a minor patient, 
person having legal individual’s parent, guardian resident or client 
custody of the patient, | or person acting in loco without violating 
resident or client. parentis who has authority to HIPAA. 

act on behalf of an 
unemancipated minor in 
making decisions related to 
health care. 

3. The attorney of a §164.508 Authorizations Yes HIPAA e Though CEs may 
patient, resident or e Except as otherwise disclose PHI to an 
client who is a ward permitted under HIPAA, a attorney or personal 

172 


1664508.6 


*This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal 


and enforceable in accordance with the law per RSMo. §432.230. 
































Missouri Statute HIPAA Privacy Regulations | Con- | State Law | Discussion and Implications for 
flict? | or HIPAA? | Conclusion Electronic HIE 
of juvenile court, an CE may not use or physician as 
alleged incompetent, disclose PHI without an required by state 
an incompetent ward authorization. law, such disclosure 
or person detained e HIPAA has a list of core is only required as 
under Chapter 632, elements and requirements authorized by the 
RSMo (psychiatric concerning the content of patient. The 
services including authorizations. authorization must 
civil commitment and meet the more 
detention). stringent HIPAA 

4. An attorney or authorization 
personal physician as requirements. 
authorized by the 
patient, resident or 
client. 

5. Law enforcement Law Enforcement Purposes No State e CEs may disclose 
officers and agencies, | §164.512(f)(1) PHI in order for law 
if necessary to carry e CEs may disclose PHI for enforcement to carry 
out their duties, law enforcement purposes out their duties, 
information about as required by law, such particularly with 
patients, residents or as reporting statutes and criminal proceedings 
clients committed regulations. involving mental 
pursuant to Chapter illness, without 
552, RSMo (criminal violating HIPAA. 
proceedings involving 
mental illness). 

6. Certain advocacy Victims of Abuse, Neglect or | Yes HIPAA e To the extent 
entities for persons Domestic Violence disclosures to 
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with developmental §164.512(c) advocacy entities 
disabilities if the e CE may disclose PHI to require authorization 
individual authorizes an agency authorized to from the patient, 
such access or, in receive information about such authorization 
certain circumstances an individual believed to must comply with 
involving abuse or be a victim of abuse, HIPAA 
neglect of the neglect or domestic authorization 
individual, if the violence to the extent such requirements. 
individual is unable to disclosure is required by e In addition, CEs 
authorize because of law and complies with the may only disclose 
mental or physical requirements of that law. PHI to advocacy 
condition. e If the CE discloses PHI agencies if they also 

7. Certain advocacy pursuant to this section of comply with HIPAA 
entities for persons HIPAA, it must inform requirements for 
with mental illness. the individual of the disclosures about 
If the individual is disclosure except for victims of abuse, 
unable to authorize certain delineated neglect or domestic 
such access, it will be situations where the safety violence. 
granted in certain of the individual is at risk. 
circumstances 
involving abuse or 
neglect of the 
individual. 

8. To mental health TPO Yes HIPAA e Because the 
coordinators as §164.506 disclosure of PHI by 
necessary for them to | e CEs may use and disclose CEs that are direct 
carry out their duties PHI for treatment, treatment providers 
under Chapter 632, payment and health care for TPO under 
RSMo. (psychiatric operations. HIPAA requires 
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services, including Notice of Privacy Practices compliance with the 
civil commitment and | §164.520(c) requirements for the 
detention). e@ CEs that are direct HIPAA NPP 
treatment providers must acknowledgment, 
provide the NPP to their HIPAA is more 
patients and attempt to stringent than state 
obtain a written law. 
acknowledgment of e Thus, CEs that are 
receipt of the NPP. direct treatment 
providers may 
disclose PHI to 


mental health 
coordinators for 
purposes of 
committing an 
individual for 
involuntary 
treatment only if 
they comply with the 
more stringent 
requirements for the 





HIPAA NPP 

Permitted Disclosures acknowledgment. 
e The facility or program 

may disclose information 

and records in the 

following circumstances. 

1. As authorized by the | §164.508 Authorizations Yes HIPAA e CEs may disclose 

patient. e Except as otherwise PHI as authorized by 
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permitted under HIPAA, a the patient pursuant 
CE may not use or to §630.140.3(1), 
disclose PHI without an RSMo only if the 
authorization. content of the 
e HIPAA has a list of core authorization 
elements and requirements complies with 
concerning the content of HIPAA 
authorizations. requirements or the 
disclosure falls 
under a HIPAA 
exception. 

2. To persons or TPO Yes HIPAA e Because the 
agencies responsible | §164.506 disclosure of PHI by 
for providing health e CEs may use and disclose CEs that are direct 
care services to PHI for treatment, treatment providers 
patients, residents or payment and health care for TPO under 
clients. operations. HIPAA requires 

3. As necessary for a compliance with the 
recipient to make a Notice of Privacy Practices requirements for the 
claim for aid or §164.520(c) HIPAA NPP 
insurance. e CEs that are direct acknowledgment, 

treatment providers must HIPAA is more 
provide the NPP to their stringent than state 
patients and attempt to law. 
obtain a written e Thus, CEs that are 
acknowledgment of direct treatment 
receipt of the NPP. providers may 
disclose PHI to those 
responsible for 
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providing health 
care Services, as 
necessary for 
payment purposes 
and as necessary for 
operational functions 
such as audits, 
evaluations and 
similar studies only 
if they comply with 
the more stringent 
requirements for the 
HIPAA NPP 
acknowledgment. 

4. To qualified Research Yes HIPAA e CEs may only 
personnel conducting | §164.512(i) disclose PHI for 
scientific research, e CEs may use and disclose research purposes if 
management audits, PHI for research purposes they comply with 
financial audits, if they meet certain HIPAA research 
program evaluations requirements. requirements, which 
or similar studies (but in this case are more 
cannot identify stringent than 
individual patients in Missouri law. 
any report of such 
research, audits and 
studies). 

5. To the courts as Judicial and Administrative | Yes HIPAA e Though this 
necessary for the Proceedings provision of 
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administration of §164.512(e)(1)() Missouri law does 
Chapter 211, RSMo e CEs may disclose PHI in not have any 
(juvenile courts), the course of any judicial requirements for 
Chapter 475, RSMo or administrative disclosure to courts 
(guardianship under proceeding in response to for the delineated 
the probate code), an order by the court or purposes, HIPAA 
Chapter 552, RSMo administrative tribunal or, has more stringent 
(criminal proceedings if certain circumstances requirements that 
involving mental are met, in response to a must be met if the 
illness), Chapter 632, subpoena, discovery request for records 
RSMo (psychiatric request or other lawful comes in any form 
services, including process. other than a court 
civil commitment and order. 
detention). e Thus, CEs must 
follow HIPAA 
before disclosing 
records to the courts 
as permitted under 
this Missouri statute. 
6. Tolaw enforcement | Law Enforcement Purposes Yes HIPAA e Because HIPAA has 
officers or public §164.512(f) more stringent 
health officers as e CEs may disclose PHI for requirements for 
necessary for them to certain law enforcement disclosure of PHI to 
carry out their duties. purposes if they meet law enforcement 
applicable requirements. officers than this 
particular provision 
of Missouri law, the 
HIPAA 
requirements must 
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be followed in order 
to disclose PHI to 
law enforcement 
officers pursuant to 
this Missouri statute. 
7. Pursuant to acourt or | Judicial and Administrative No State e CEs may disclose 
administrative order. | Proceedings PHI pursuant to a 
§164.512(e)(1) (i) court or 
e CEs may disclose PHI in administrative order 
the course of any judicial as permitted under 
or administrative state law without 
proceeding in response to violating HIPAA 
an order by the court or because such 
administrative tribunal or, disclosure is 
if certain circumstances permitted under 
are met, in response to a HIPAA for judicial, 
subpoena, discovery administrative and 
request or other lawful law enforcement 
process. purposes. 
Law Enforcement Purposes 
§164.512(f) 
e CEs may disclose PHI in 
compliance with a court 
order, court-ordered 
warrant, subpoena or 
summons issued by a 
judicial officer, grand jury 
subpoena or, if meet 
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certain requirements, an 
administrative request. 

8. To the attorney TPO Yes HIPAA e Because the 
representing §164.506 disclosure of PHI by 
petitioners under e CEs may use and disclose CEs that are direct 
Chapter 632, RSMo PHI for treatment, treatment providers 
(psychiatric services payment and health care for TPO under 
including civil operations. HIPAA requires 
commitment and compliance with the 
detention) as Notice of Privacy Practices requirements for the 
necessary for them to | §164.520(c) HIPAA NPP 
carry out their duties. | e CEs that are direct acknowledgment, 

treatment providers must HIPAA is more 

provide the NPP to their stringent than state 

patients and attempt to law. 

obtain a written e Thus, CEs that are 

acknowledgment of direct treatment 

receipt of the NPP. providers may 
disclose PHI to 
attorneys under this 
provision of state 
law for treatment 
purposes 
(determining 
whether involuntary 
commitment for 
treatment is 
necessary) only if 
they comply with the 
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more stringent 
requirements for the 
HIPAA NPP 
acknowledgment. 
9. To DSS as necessary | Victims of Abuse, Neglect or | Yes HIPAA e Though state law 
to report or Domestic Violence does not condition 
investigate abuse or §164.512(c) disclosure of PHI for 
neglect. (Note: The e Except for reports of child purposes of reports 
Division of Aging is abuse, CEs may report or investigations of 
no longer part of DSS abuse, neglect or domestic abuse or neglect on 
but has been moved violence to the extent such anything other than 
to DHSS). disclosure is authorized by what is necessary to 
law if report or investigate 
1. The CE reasonably the abuse or neglect, 
believes that HIPAA has 
disclosure is necessary additional conditions 
to prevent serious and requirements in 
harm to the individual order for the CE to 
or other potential disclose such PHI 
victims OR and is thus more 
2. The individual is stringent. 
unable to agree to the e CEs may disclose 
disclosure due to PHI under this 
incapacity and the provision of 
public official Missouri law only if 
authorized to receive the CE has met the 
the PHI represents that HIPAA 
the PHI is not intended requirements in 
to be used against the §164.512(c), which 
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individual and include notification 
immediate of the individual that 
enforcement activity a report is being 
that depends upon the made. 
disclosure would be 
materially and 
adversely affected by 
waiting until the 
individual is able to 
agree to the disclosure. 
e If the CE discloses PHI 

pursuant to this section of 

HIPAA, it must inform 

the individual of the 

disclosure except for 

certain delineated 

situations where the safety 

of the individual is at risk. 

10. To a county board Covered Entity Yes HIPAA e The purpose of 
established under §160.103 sheltered workshops 
205.968 to 205.972, e A covered entity includes and developmental 
RSMo (county health care providers that disability services 
sheltered workshops transmit health under Chapter 205 
and developmental information in electronic clearly falls within 
disability services). form in connection with a the definition of 

transaction covered by health care provider. 
HIPAA. Thus, to the extent 
such workshops 
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TPO engage in covered 
§164.506 transactions, they are 
e CEs may use and disclose CEs. 
PHI for treatment, e Because the 
payment and health care disclosure of PHI by 
operations. CEs that are direct 
treatment providers 
Notice of Privacy Practices for TPO under 
§164.520(c) HIPAA requires 
e CEs that are direct compliance with the 
treatment providers must requirements for the 
provide the NPP to their HIPAA NPP 
patients and attempt to acknowledgment, 
obtain a written HIPAA is more 
acknowledgment of stringent than state 
receipt of the NPP. law. 

e Thus, CEs that are 
direct treatment 
providers may 
disclose PHI to 
another CE (the 
county board 
established under the 
county sheltered 
workshops and 
developmental 
disability services 
statutes) under this 
provision of state 
law only if they 
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comply with the 
more stringent 
requirements for the 
HIPAA NPP 
acknowledgment. 
Notification of Illness or Notification of Family, Yes HIPAA e HIPAA generally 
Death of a Patient, Friends and Personal and and has more 
Resident or Client Representatives No State requirements for 
§630.145 §164.510(b)(1)(ii) disclosure in this 
e A residential facility or e CEs may disclose PHI to situation and thus is 
day program funded or notify certain family more stringent than 
licensed by DMH may members, friends or state law. 
disclose PHI, including personal representatives e However, to the 
the status of an individual who are responsible for extent HIPAA 
as a patient, resident or the individual’s care. would allow 
client of such a facility or Such information may disclosure of more 
program, or that the include the individual’s than the patient’s 
individual is seriously location, general condition status as a patient, 
physically ill or that the or death. resident or client, the 
patient has died and the e The applicable fact of their serious 
cause of death. requirements for physical illness or 
e Depending on the disclosure depend on their death and cause 
circumstances, such whether or not the patient of death, state law is 
disclosure may be to the is present at the time of more stringent. 
next of kin, attorney, the disclosure. e Because Missouri 
guardian or conservator law and HIPAA are 
of the individual or a not easily integrated 
person responsible for in this context, CEs 
payment. should ensure 
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compliance with 
both state law and 
HIPAA in these 
circumstances. 
Notification of 
Unauthorized Absence of 
Patients, Residents or 
Clients 
§630.150 
e Under certain Notification of Family, Yes HIPAA CEs may notify 
circumstances, residential | Friends and Personal family members, law 
facilities or day programs | Representatives enforcement 
may disclose the §164.510(b)(1)(i) officials and others 
unauthorized absence of | @ CEs may disclose to pursuant to state law 
a patient, resident or certain family members, only if additional 
client to relatives, law friends or personal requirements are 
enforcement agencies representatives PHI that is met. Such 
and others as necessary relevant to the person’s requirements depend 
to protect the patient, involvement with the on the purpose of the 
resident or other parties. individual’s care or disclosure. 
payment for that care. Because Missouri 
Such information may law and HIPAA are 
include the individual’s not easily integrated 
location, general condition in this context, CEs 
or death. should ensure 
e The applicable compliance with 
requirements for both state law and 
disclosure depend on HIPAA in these 
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whether or not the patient circumstances. 
is present at the time of e CEs may disclose 
the disclosure. the absence to 
family members 
Serious Threat to Health or pursuant to state law 
Safety without violating 
§164.512(j)(1) HIPAA if it is 
e ACE may, consistent relevant to their 
with applicable law and involvement in the 
ethical standards, disclose individual’s care or 
PHI if the CE has a good payment for such 
faith belief that such care. 
disclosure is necessary to e CEs may disclose 
prevent or lessen a serious the absence to law 
and imminent threat to the enforcement 
health or safety of a authorities without 
person or the public AND violating HIPAA if 
the disclosure is to a it is for the purpose 
person reasonably able to of apprehending and 
prevent or lessen such returning an 
threat OR such disclosure individual who 
is necessary for law escaped from lawful 
enforcement authorities to custody as defined in 
identify or apprehend an §164.501 of HIPAA. 
individual because of the e CEs may disclose 
individual’s involvement the absence to 
in a violent crime or family members, law 
where the individual has enforcement 
escaped from a officials and others 
correctional institution or without violating 
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other form of lawful HIPAA if it is for 
custody as it is defined the purpose of 
under HIPAA. averting a serious 
threat to health or 
safety and meets the 
requirements in 
§164.512() of 
HIPAA. 

e@ Under certain Serious Threat to Health or No State e CEs may disclose 
circumstances, mental Safety the absence to law 
health facilities shall §164.512(j)(1) Gi) enforcement 
disclose the unauthorized | e A CE may, consistent authorities such as 
absence of a patient, with applicable law and the sheriff and 
resident or client ethical standards, disclose prosecutor as 
committed to their PHI if the CE has a good required under state 
custody pursuant to faith belief that such law without 
Chapter 552, RSMo disclosure is necessary for violating HIPAA 
(criminal proceedings law enforcement because the 
involving mental illness) authorities to identify or individual would 
to the prosecutor and apprehend an individual have escaped from 
sheriff in the county in where the individual has lawful custody as 
which the individual is escaped from a defined in §164.501 
detained and the trial correctional institution or of HIPAA and 
occurred, all known other form of lawful because it is required 
surviving victims and custody as it is defined by law. 
any others as necessary under §164.501 of e CEs may disclose 
for the protection of the HIPAA. the absence to the 
patient, resident or other victims and others 
parties. As Required by Law pursuant to state law 
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§164.512(a) without violating 
e CEs may use or disclose HIPAA because it is 
PHI without giving the required by law. 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
Abuse or Neglect: Victims of Abuse, Neglect or | Yes HIPAA CEs may report and 
Reporting and Domestic Violence disclose PHI as part 
Investigation §164.512(c) of an investigation 
§§630.165, 630.167, and e CEmay disclose PHI to of abuse or neglect 
630.168 an agency authorized to pursuant to these 
9 CSR 10-5.200 receive information about sections of Missouri 
e Various statutes require an individual believed to law without 
mandatory reporting of be a victim of abuse, violating HIPAA 
abuse or neglect to neglect or domestic because it is required 
DMH, DHSS and law violence to the extent such by law. 
enforcement authorities. disclosure is required by However, to the 
Such statutes also require law and complies with the extent HIPAA 
cooperation in the requirements of that law. requires the CE to 
investigation of such e If the CE discloses PHI provide notice of the 
abuse or neglect. pursuant to this section of disclosure to the 
HIPAA, it must inform abused or neglected 
the individual of the individual, it is more 
disclosure except for stringent than 
certain delineated Missouri law and 
situations where the safety must be complied 
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of the individual is at risk. with. 
As Required by Law 
§164.512(a); 164.512(a)(2) 
e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
requirements of such law. 
e CEs must meet additional 
requirements for 
disclosures for 164.512 
(c), (e), and (f) 
Research Activities Research Yes State e Both HIPAA and 
Mental Health Facilities or | §164.512(i) and and Missouri law have 
Programs e CEs may disclose PHI for No HIPAA specific 
§630.192 research purposes without requirements with 
e No biomedical or patient authorization if respect to research. 
pharmacological research such research is approved e Each has restrictions 
can be conducted in by an Institutional Review that are more 
certain mental health Board (IRB) or privacy stringent than the 
facilities and programs, board; the disclosure is for other. 
residential facilities, or the purpose of review in e Because they are not 
day programs unless the preparation for research; easily integrated, it 
purpose of such research or the research involves is best to comply 
is to alleviate or prevent the PHI of decedents. with both. 
disabling conditions or e Each exception has its 
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have a direct therapeutic own specific requirements 
benefit to the and specific 
participants. documentation is required 
e Participation by for research based on IRB 
involuntary patients or privacy board approval. 
requires a court order. 
Residential Facilities or 
Day Programs 
§630.194 
e Research is permitted 
only if submitted to a 
professional review 
committee created under 
$630.193, RSMo and 
certain other 
requirements are met. 
Placement of Patients TPO Yes HIPAA e To the extent 
§§630.610; 630.620; §164.506 placement of 
630.635, 630.810 and e CEs may use and disclose individuals in a 
630.855 PHI for treatment, facility or program 
payment and health care involves the use or 
§§630.610; 630.620; operations. disclosure of PHI, 
630.635 HIPAA is 
e Placement of persons Notice of Privacy Practices implicated. 
with a mental disorder or | §164.520(c) 
illness, mental e CEs that are direct e Placement of the 
retardation, treatment providers must individuals relates to 
developmental disability provide the NPP to their obtaining treatment 
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or alcohol and drug abuse 
under the auspices of 
DMH. 


§630.810 
e Interstate Compact on 
Mental Health. 


§630.855 

e Interstate Compact on the 
Mentally Disordered 
Offender. 





patients and attempt to 
obtain a written 
acknowledgment of 
receipt of the NPP. 











and is part of 
continuity of care. 


e Because the 
disclosure of PHI by 
CEs that are direct 
treatment providers 
for TPO under 
HIPAA requires 
compliance with the 
requirements for the 
HIPAA NPP 
acknowledgment, 
HIPAA is more 
stringent than state 
law. 


e Thus, CEs that are 
direct treatment 
providers may 
disclose PHI for 
purposes of placing 
a patient only if they 
comply with the 
more stringent 
requirements for the 
HIPAA NPP 
acknowledgment. 
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Licensure: Residential Health Oversight Activities No State e CEs may disclose 
Facilities or Day Programs | §164.512(d) PHI to DMH or its 
§630.730 e CEs may disclose PHI to agents for purposes 
e Permits DMH or another health oversight agencies of a licensing 
government agency for oversight activities inspection without 
designated by DMH to authorized by law, violating HIPAA 
perform a licensing including audits, because it is a 
inspection of residential investigations, permissible health 
facilities or day programs inspections, licensure etc. oversight activity. 
licensed by DMH. 
Disclosure of Records Health Oversight Activities No State e CEs may disclose 
§630.975 §164.512(d) PHI to the mental 
e Any hospital, physician, e CEs may disclose PHI to health fatality 
medical professional, health oversight agencies review panel for 
mental health for oversight activities investigatory 
professional or Dept. of authorized by law, purposes without 
Mental Health shall including audits, violating HIPAA 
disclose all records, investigations, because it is a 
medical or social, of any inspections, licensure etc. permissible health 
client who has died to the oversight activity. 
mental health fatality As Required by Law 
review panel for §164.512(a) 
investigation. e CEs may use or disclose 
PHI without giving the 
individual the opportunity 
to agree or object and 
without an authorization if 
it is required by law and is 
limited to the 
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requirements of such law. 

Po Alcohol and Drug Abuse 
Alcohol and Drug Abuse TPO Yes State e Because the 
§§631.115; 631.120; §164.506 and and disclosure of PHI by 
631.125; 631.135; 631.140; | @ CEs may use and disclose No HIPAA CEs that are direct 
631.145; 631.150; 631.160; PHI for treatment, (depends on treatment providers 
631.165; 631.170 payment and health care the situation) for TPO under 
e Provisions concerning operations. HIPAA requires 

the detention, placement compliance with the 
or transfer of individuals requirements for the 
engaged in alcohol or Notice of Privacy Practices HIPAA NPP 
drug abuse. Disclosure §164.520(c) acknowledgment, 
of PHI is necessary to e CEs that are direct HIPAA is more 
accomplish such treatment providers must stringent than state 
placements and transfers. provide the NPP to their law. 
patients and attempt to Thus, CEs that are 
§631.135 obtain a written direct treatment 
e Allows for notification of acknowledgment of providers may 
the individual’s guardian receipt of the NPP. disclose PHI for 
when an individual is purposes of 
admitted to a drug or Notification of Family, placement of 
alcohol abuse facility. Friends and Personal patients only if they 
Such notification may be | Representatives comply with the 
provided to a responsible | §164.510(b)(1)(i) more stringent 
member of the e CEs may disclose to requirements for the 
individual’s immediate certain family members, HIPAA NPP 
family if the individual friends or personal acknowledgment. 
consents. representatives PHI that is CEs may disclose to 
relevant to the person’s an individual’s 
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involvement with the guardian the fact of 
individual’s care or the individual’s 
payment for that care. admission to a 
Such information may facility without 
include the individual’s violating HIPAA 
location, general condition because the guardian 
or death. is a personal 
e The applicable representative under 
requirements for HIPAA. 
disclosure depend on Though notification 
whether or not the patient of family members 
is present at the time of involved in the 
the disclosure. patient’s care or 
payment for such 
Personal Representatives: care is permissible 
Adults and Emancipated under HIPAA, 
Minors Missouri law is more 
§164.5502(g)(2) stringent in that it 
e CEs may disclose PHI to a requires consent of 
person who has authority the patient. Thus, 
to act on behalf of an adult CEs may disclose 
or emancipated minor in PHI to a family 
making decisions related member pursuant to 
to health care. this Missouri statute 
only if they obtain 
the patient’s consent. 
NOTE: To the extent 
the federal 
confidentiality of 
substance abuse 
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statute (42 U.S.C. 
290dd-2) and 
regulations (42 CFR 
part 2) are 
applicable, they 
must be considered. 
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Mental Health Records: 

Disclosure to Providers 

§§632.010, 632.385 and 

632.489 

§632.010 Health Oversight Activities No State e CEs may disclose 

e As part of its oversight §164.512(d) PHI to the Division 
function, the Division of | e¢ CEs may disclose PHI to of Comprehensive 
Comprehensive health oversight agencies Psychiatric Services 
Psychiatric Services of for oversight activities without violating 
DMH has access to authorized by law, HIPAA because it is 
information from including audits, a permissible health 
Division programs for investigations, oversight activity. 
the purpose of evaluating inspections, licensure etc. 
their cost-and-benefit 
effectiveness. 

§632.385 TPO Yes HIPAA e Because the 

e Ifamental health facility | §164.506 disclosure of PHI by 
determines that release of | e CEs may use and disclose CEs that are direct 
a patient is in the best PHI for treatment, treatment providers 
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interest of the patient, the payment and health care for TPO under 
facility must provide a operations. HIPAA requires 
copy of the conditions of compliance with the 
release to the mental Notice of Privacy Practices requirements for the 
health facility that will be | §164.520(c) HIPAA NPP 
providing treatment upon | e CEs that are direct acknowledgment, 
release of the patient. treatment providers must HIPAA is more 
Notice is also required provide the NPP to their stringent than state 
when the conditions of patients and attempt to law. 
release are modified. obtain a written e Thus, CEs that are 
acknowledgment of direct treatment 
receipt of the NPP. providers may 
disclose PHI for 
treatment purposes 
only if they comply 
with the more 
stringent 
requirements of the 
HIPAA NPP 
acknowledgment. 
§632.489 Covered Entity No State e Disclosure by the 
e An independent §160.103 multidisciplinary 
psychiatrist or e A covered entity includes team to a CE under 
psychologist performing health care providers that this section does not 
a court-ordered transmit health implicate HIPAA 
examination of a information in electronic because the 
suspected sexually form in connection with a multidisciplinary 
violent predator may transaction covered by team itself is not a 
access confidential health HIPAA. CE, even though 
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information considered some individual 
by the multidisciplinary members of the team 
team. may be CEs in their 
own health care 
practices. 
Mental Health Records: TPO Yes HIPAA e Because the 
Disclosure to MHCs §164.506 disclosure of PHI by 
§§632.300, 632.315, e CEs may use and disclose CEs that are direct 
632.330, 632.340, 632.370, PHI for treatment, treatment providers 
632.375 and 632.390 payment and health care for TPO under 
operations. HIPAA requires 
§632.300 compliance with the 
e@ Mental health Notice of Privacy Practices requirements for the 
coordinators, which are §164.520(c) HIPAA NPP 
defined as mental health |e CEs that are direct acknowledgment, 
professionals employed treatment providers must HIPAA is more 
by the state and provide the NPP to their stringent than state 
appointed by DMH, are patients and attempt to law. 
required to conduct an obtain a written 
investigation when they acknowledgment of e Thus, CEs that are 
receive information that a receipt of the NPP. direct treatment 
person with a mental providers may 
disorder presents a As Required by Law disclose PHI to the 
likelihood of serious §164.512(a) MHC for purposes 
harm to himself, herself | CEs may use or disclose of detaining a person 
or others. As a result of PHI without giving the for treatment only if 
such investigation the individual the opportunity they comply with the 
MHC may file an to agree or object and more stringent 
application with the court without an authorization if requirements for the 
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for a 96-hour hold for it is required by law and is HIPAA NPP 

evaluation and treatment. limited to the acknowledgment. 

requirements of such law. 

§632.315 

e A facility accepting a 
patient for evaluation and 
treatment pursuant to a 
96-hour hold must file 
the application for the 
hold and other 
documents with the court 
and the regional MHC. 


§§632.330, 632.340 

e The head of a mental 
health facility shall notify 
the MHC of the filing of 
a petition for additional 
detention for evaluation 
and treatment. 


§632.370 

e@ When an involuntary 
patient is transferred by 
DMH from one mental 
health program to 
another, notice of such 
transfer must be provided 
to the MHC for the 
region. 
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§632.375 
e Required reports of 
continuing examination 
and evaluation of 
involuntary patients must 
be sent to the MHC. 
§632.390 
e When an involuntary 
patient is released from a 
mental health program, 
the head of the program 
must notify the MHC. 
Mental Health Records: 
Disclosure to Family, 
Friends or Legal 
Guardians 
§§632.175, 632.300, 
632.370, 632.375 and 
632.392 
§632.175 Personal Representatives: No State e CEs may disclose 
e The condition of patients | Adults and Emancipated PHI to the patient’s 
of mental health facilities | Minors guardian under 
must be reviewed at least | §164.5502(g)(2) §632.175, RSMo 
once every 180 days. A | @ CEs may disclose PHI to a without violating 
copy of that review is person who has authority HIPAA because 
required to be sent to the to act on behalf of an adult such individual is a 
patient’s guardian. or emancipated minor in personal 
199 


1664508.6 


*This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal 


and enforceable in accordance with the law per RSMo. §432.230. 








Missouri Statute HIPAA Privacy Regulations | Con- | State Law | Discussion and Implications for 
flict? | or HIPAA? | Conclusion Electronic HIE 








making decisions related representative of the 
to health care. patient under 
HIPAA in that they 
have the authority to 
act on behalf of the 
patient in making 
decisions related to 


health care. 
§632.300 Notification of Family, No State e CEs may disclose 
e As aresult of an Friends and Personal PHI to family and 
investigation of aperson | Representatives friends of an 
with a mental disorder at | §164.510(b)(L)@ individual in order to 
risk of serious harm to e CEs may disclose to explain sources of 
himself, herself or others, certain family members, potential assistance 
if the MHC determines friends or personal without violating 
that involuntary representatives PHI that is HIPAA because it is 
commitment is not relevant to the person’s required by law and 
necessary, the MHC involvement with the to the extent it is 
should inform the person individual’s care or relevant to the 
or the person’s family or payment for that care. family member or 
friends about agencies Such information may friend’s involvement 
and courts that may be of include the individual’s in the patient’s care 
assistance. location, general condition or payment for that 
or death. care. 


e The applicable 
requirements for 
disclosure depend on 
whether or not the patient 
is present at the time. 
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§632.370 As Required by Law No State e When patient is 

e When an involuntary §164.512(a) being transferred 
patient is transferred by e CEs may use or disclose from one mental 
DMH from one mental PHI without giving the health program to 
health program to individual the opportunity another, CEs may 
another, notice of such to agree or object and disclose PHI to a 
transfer must be provided without an authorization if patient’s guardian, 
to the patient’s legal it is required by law and is parents, spouse or 
guardian, parents and limited to the nearest known 
spouse or if none known, requirements of such law. relative or friend 
to the patient’s nearest with consent of the 
known relative or friend, patient. 
but such notice requires e When patient is 
the consent of the patient being transferred to 
or legal guardian or in an agency of the 
the case of a minor, the U.S., disclosure may 
minor’s parent. Notice be made to the 
must also be given to the above listed people 
patient’s last known without patient 
attorney of record. If consent pursuant to 
such transfer is to an Missouri law 
agency of the United without violating 
States notice to the legal HIPAA because it is 
guardian, spouse, parents required by law. 
and nearest known 
relative or friend does not 
appear to require consent 
of the patient. 
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§632.375 As Required by Law No State e CEs may disclose 

e@ Required reports of §164.512(a) PHI to the patient’s 
continuing examination e CEs may use or disclose attorney under 
and evaluation of PHI without giving the $632.375, RSMo 
involuntary patients must individual the opportunity without violating 
be sent to the patient’s to agree or object and HIPAA because 
attorney. without an authorization if such disclosure is 

it is required by law and is required by law. A 

limited to the patient’s attorney is 

requirements of such law. not likely to be 
considered a 
personal 
representative of the 
patient under 
HIPAA in that they 
ordinarily do not 
have the authority to 
act on behalf of the 
patient in making 
decisions related to 
health care. 

e@ §632.392 When certain Notification of Family, Yes State e Though HIPAA 
involuntary patients are Friends and Personal and and would allow 
released, a mental health | Representatives No HIPAA disclosure based on 
program and any treating | §164.510(b)(1)(i) (depends on the person’s 
physician may disclose e CEs may disclose to the situation) involvement in the 
confidential medically certain family members, patient’s care or 
necessary or safety- friends or personal payment for care if 
related treatment representatives PHI that is the patient is given 
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information to “care relevant to the person’s the opportunity to 
providers” (individuals involvement with the agree or object, 
who are primarily individual’s care or Missouri law 
responsible for the payment for that care. requires an attempt 
patient’s health care — not Such information may to obtain consent but 
including those providing include the individual’s would still allow 
care through hospitals, location, general condition disclosure without 
nursing homes, group or death. such consent. 
homes or similar e The applicable e The two laws are 
facilities). Such requirements for consistent if the 
disclosure requires an disclosure depend on patient consents to 
attempt to obtain the whether or not the patient the disclosure. 
consent of the patient. is present at the time of However, if the 
the disclosure. patient does not 
consent, the more 
stringent HIPAA 
standard would not 
allow disclosure and 
must be followed. 
Mental Health Records: As Required by Law Yes State e CEs may disclose 
Disclosure to Courts §164.512(a) and and PHI to the courts 
§§632.175, 632.300, e CEs may use or disclose No HIPAA under §§632.175, 
632.305, 632.315, 632.330, PHI without giving the (depends on 632.375, 632.498, 
632.335, 632.340, 632.345, individual the opportunity the situation) 632.300, 632.305, 
632.355, 632.370, 632.375, to agree or object and 632.315, 632.330, 
632.385, 632.390, 632.489 without an authorization if 632.340, 632.345, 
and 632.498 it is required by law and is 632.355, 632.370, 
limited to the 632.385 and 
§§632.175, 632.375, 632.498 requirements of such law. 632.390, RSMo, 
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e Required reports of TPO without violating 
continuing examination §164.506 HIPAA because it is 
and evaluation of e CEs may use and disclose required by law. 
involuntary patients, PHI for treatment, 
including patients payment and health care e To the extent 
determined to be sexually operations. disclosure is not 
violent predators, must required by law, CEs 
be sent to the court. Notice of Privacy Practices may disclose PHI to 

§164.520(c) the courts for 

§632.300 e CEs that are direct treatment purposes 

e As aresult of an treatment providers must but, because the 
investigation of a person provide the NPP to their disclosure of PHI by 
with a mental disorder at patients and attempt to CEs that are direct 
risk of serious harm to obtain a written treatment providers 
himself, herself or others, acknowledgment of for TPO under 
the MHC may file an receipt of the NPP. HIPAA requires 
application with the court compliance with the 
for a 96-hour hold for requirements for the 
evaluation and treatment. HIPAA NPP 

acknowledgment, 

§632.305 HIPAA is more 

e Any person (including a stringent than state 
health care provider) may law. 
file an application with e Thus, CEs that are 
the court for the 96-hour direct treatment 
hold for evaluation and providers may 
treatment of a person disclose PHI to the 
with a mental disorder courts for treatment 
believed to be at risk for purposes only if they 
serious harm to himself, comply with the 
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herself or others. more stringent 
requirements for the 
§632.315 HIPAA NPP 
e A facility accepting a acknowledgment. 


patient for evaluation and 
treatment pursuant to a 
96-hour hold must file 
the application for the 
hold and other 
documents to the court 
and the designated MHC 
for the region. 


§§632.330, 632.335, 

632.340, 632.355 

e A mental health facility 
or MHC may file a 
petition with the court for 
additional inpatient or 
outpatient detention. 


§632.370 

e When an involuntary 
patient is transferred by 
DMH from one mental 
health program to 
another or from a mental 
health program to an 
agency of the United 
States for hospitalization, 
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notice of such transfer 
must be provided to the 
court that ordered the 
detention/commitment. 


§632.385 

e Ifamental health facility 
determines that release of 
a patient is in the best 
interest of the patient, the 
facility must notify the 
court of the conditions of 
release. Notice is also 
required when the 
conditions of release are 
modified. 


§632.390 

e@ When an involuntary 
patient is released from a 
mental health program, 
the head of the program 
must notify the court. 


§632.345 

e A person has a right to 
request examination by a 
court-appointed 
physician or psychologist 
and to have such 
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physician or psychologist 
testify for purposes of 
determining whether 
involuntary commitment 
is necessary. 
§632.489 As Required by Law No State e Disclosure by the 
e The psychiatrist or §164.512(a); 164.512(a)(2) multidisciplinary 
psychologist performing |e CEs may use or disclose team to a 
a court-ordered PHI without giving the psychiatrist or 
examination of a individual the opportunity psychologist 
suspected sexually to agree or object and performing a court- 
violent predator has a without an authorization if ordered examination 
right to access all it is required by law and is under this provision 
materials provided to and limited to the of Missouri law does 
considered by the requirements of such law. not implicate 
multidisciplinary team e CEs must meet additional HIPAA because the 
and must provide the requirements for multidisciplinary 
results of such disclosures for 164.512 team itself is not a 
examination to the court. (c), (e), and (f) CE, even though 
some individual 
Covered Entity members of the team 
§160.103 may be CEs in their 
e A covered entity includes own health care 
health care providers that practices. 
transmit health e The psychiatrist or 
information in electronic psychologist 
form in connection with a performing the 
transaction covered by court-ordered 
HIPAA. examination may 
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Judicial and Administrative disclose the results 
Proceedings of that examination 
§164.512(e)(1)(i) without violating 
e CEs may disclose PHI in HIPAA because 
the course of any judicial such disclosure is 
or administrative required by law and 
proceeding in response to is pursuant to a 
an order by the court or court-order. 
administrative tribunal or, 
if certain circumstances 
are met, in response to a 
subpoena, discovery 
request or other lawful 
process. 
Mental Health Records: As Required by Law No State e CEs may disclose 
Disclosure to Law §164.512(a); 164.512(a)(2) PHI to law 
Enforcement Officers e CEs may use or disclose enforcement 
§§632.300, 632.305, PHI without giving the officials such as 
632.337, 632.370, 632.455, individual the opportunity police officers and 
632.483 and 632.484, to agree or object and prosecutors pursuant 
without an authorization if to §8632.300, 
§632.300 it is required by law and is 632.370, 632.483 
e If the investigation of a limited to the and 632.484, RSMo 
person by the MHC requirements of such law. without violating 
reveals that the person e CEs must meet additional HIPAA because it is 
with a mental disorder is requirements for required by law. 
at imminent risk of disclosures for 164.512 
serious harm to himself, (c), (e), and (f). 
herself or others, the 
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MHC must request a law 
enforcement officer to 
take custody of and 
transport the person to a 
mental health facility 
pending the filing of an 
application for a 96-hour 


Law Enforcement Purposes 

§164.512(f)(1) 

e CEs may disclose PHI to a 
law enforcement official 
for law enforcement 
purposes as required by 
law. 





hold for evaluation and 
treatment. 


§632.370 

e@ When an involuntary 
patient is transferred by 
DMH from one mental 
health program to 
another, notice of such 
transfer must be provided 
to the prosecuting 
attorney if such patient 
was committed pursuant 
to Chapter 552, RSMo 
(criminal proceedings 
involving mental illness). 


§632.483 

e When it appears that a 
person meets the criteria 
of a sexually violent 
predator, the agency with 
jurisdiction (which in 
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some circumstances may 
be DMH) must notify the 
Attorney General and the 
multidisciplinary team as 
defined in this section. 
The multidisciplinary 
team (which may include 
health care providers), 
must make its assessment 
available to the Attorney 
General and the 
Prosecutor’s Review 
Committee, as defined in 
this section. 


§632.484 

e Upon an appropriate 
referral of a person by 
the court, DMH must 
determine if the person is 
a sexually violent 
predator and provide a 
report of its investigation 
and evaluation to the 
Attorney General. 


§632.305 

e If anyone believes a 
person with a mental 
disorder is at risk for 





TPO 

§164.506 

e CEs may use and disclose 
PHI for treatment, 








State 
and 
HIPAA 
(depends on 





e Because the 
disclosure of PHI by 
CEs that are direct 
treatment providers 
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serious harm to himself, payment and health care the situation) for TPO under 
herself or others, that operations. HIPAA requires 
person may file an compliance with the 
application for a 96-hour | Notice of Privacy Practices requirements for the 
hold for evaluation and §164.520(c) HIPAA NPP 
treatment. If the MHC e CEs that are direct acknowledgment, 
determines that the treatment providers must HIPAA is more 
person with the mental provide the NPP to their stringent than state 
disorder who is the patients and attempt to law. 
subject of the application obtain a written e Thus, CEs that are 
is at imminent risk of acknowledgment of direct treatment 
serious harm to himself, receipt of the NPP. providers may 
herself or others, the disclose PHI as 
MHC may request a law | Serious Threat to Health or necessary to initiate 
enforcement officer to Safety detention 
take the person into §164.512(G)(HDWM proceedings to 
custody for a 96-hour e ACE may, consistent provide treatment on 
hold for evaluation and with applicable law and an involuntary basis 
treatment. ethical standards, disclose only if they comply 
PHI if the CE has a good with the more 

§632.337 faith belief that such stringent 

e If asupervisory mental disclosure is necessary to requirements for the 
health program prevent or lessen a serious HIPAA NPP 
determines that a person and imminent threat to the acknowledgment. 
subject to court-ordered health or safety of a e Also, CEs that are 
outpatient detention person or the public AND direct treatment 
needs inpatient detention, the disclosure is to a providers may 
the program may direct person reasonably able to disclose PHI to law 
such detention at an prevent or lessen such enforcement officers 
appropriate facility and threat. as necessary to 
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may authorize the sheriff apprehend and 
to detain and transport detain an individual 
the person to that facility. for treatment 
purposes only if they 


comply with the 
more stringent 
requirements for the 
HIPAA NPP 
acknowledgment. 

e CEs also may 
disclose PHI to a 
law enforcement 
officer pursuant to 
§§632.305 and 
632.337, RSMo 
without violating 
HIPAA because in 
both cases, the 
disclosure is made in 
order to prevent 
imminent serious 

















harm as 
contemplated under 
§164.51() of 
HIPAA. 
§632.455 Serious Threat to Health or No State e The head of a mental 
e Under certain Safety health program may 
circumstances, the head §164.512(j)(1) ii) disclose such PHI as 
of a mental health e ACE may, consistent is necessary to 
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program may request the with applicable law and request the sheriff to 
sheriff to apprehend a ethical standards, disclose apprehend an 
patient who is absent PHI if the CE has a good individual who is 
without authorization and faith belief that such absent without 
return the patient to the disclosure is necessary for authorization from 
program. law enforcement such program 
authorities to identify or without violating 
apprehend an individual HIPAA because the 
because of the individual has 
individual’s involvement effectively escaped 
in a violent crime or from lawful custody. 
where the individual has 
escaped from a 
correctional institution or 
other form of lawful 
custody as it is defined 
under HIPAA. 
Mental Health Records: Judicial and Administrative | Yes HIPAA e As part of detention 
Waiver of Privileges Proceedings proceedings, state 
§§632.425, 632.510, §164.512(e)(1)(i) law allows 
§632.425 e CEs may disclose PHI in admission of PHI 
e The statutory physician- the course of any judicial into evidence, 
patient and psychologist- or administrative regardless of 
patient privileges are proceeding in response to privilege if it is 
waived in detention an order by the court or relevant and 
proceedings to the extent administrative tribunal or, material. Because 
that the evidence is if certain circumstances HIPAA would allow 
material and relevant to are met, in response to a such disclosure only 
the proceedings. subpoena, discovery if certain 
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request or other lawful requirements are met 
process. or there is a court or 
administrative order, 
HIPAA is more 
stringent than state 
law and must be 
followed. 
po Mental Retardation and Developmental Disabilities 
Mental Retardation and Health Oversight Activities No State e CEs may disclose 
Developmental Disabilities | §164.512(d) PHI to the Division 
Programs e CEs may disclose PHI to of Retardation and 
§633.010 health oversight agencies Developmental 
e As part of its oversight for oversight activities Disabilities as it may 
function, the Division of authorized by law, be relevant to their 
Retardation and including audits, cost-benefit analysis 
Developmental investigations, without violating 
Disabilities, a division of inspections, licensure etc. HIPAA because the 
DMH, has access to Division’s access is 
information from mental for health oversight 
retardation or purposes. 
developmental 
disabilities programs for 
the purpose of evaluating 
their cost-and-benefit 
effectiveness. 
Mental Retardation or TPO Yes HIPAA e Because the 
Developmental Disabilities: | §164.506 disclosure of PHI by 
Transfer and Referral of e CEs may use and disclose CEs that are direct 
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Individuals PHI for treatment, treatment providers 
§§633.120, 633.130, payment and health care for TPO under 
633.135, 633.145 and operations. HIPAA requires 
633.150 compliance with the 
e These provisions permit | Notice of Privacy Practices requirements for the 
transfers or referrals of §164.520(c) HIPAA NPP 
residents of certain e CEs that are direct acknowledgment, 
facilities to other treatment providers must HIPAA is more 
facilities as described in provide the NPP to their stringent than state 
those sections. patients and attempt to law. 
obtain a written e Thus, CEs that are 
acknowledgment of direct treatment 
receipt of the NPP. providers may 
disclose PHI for 
purposes of a 
transfer or referral to 
a mental retardation 
facility only if they 
comply with the 
more stringent 
requirements for the 
HIPAA NPP 
acknowledgment. 
§633.145 As Required by Law No State e CEs may provide 
e Transfers between two §164.512(a) notice of a transfer 
mental retardation e CEs may use or disclose to the resident’s 
facilities under §633.145 PHI without giving the guardian or next of 
requires notice to the individual the opportunity kin without violating 
resident being transferred to agree or object and HIPAA because it is 
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or that individual’s without an authorization if required by law. 
guardian or next of kin. it is required by law and is 
limited to the 
requirements of such law. 
Mentally Retarded TPO Yes HIPAA e Involuntary 
Residents: Detention or §164.506 detention, discharge 
Release Requiring Court e CEs may use and disclose or referral of a 
Proceedings PHI for treatment, patient, and the 
§§633.125, 633.130 and payment and health care appointment of a 
633.160 operations. guardian all relate to 
e These provisions permit the treatment of a 
the initiation of Notice of Privacy Practices patient. 
proceedings by a facility | §164.520(c) Because the 
for purposes of e CEs that are direct disclosure of PHI by 
involuntary detention, treatment providers must CEs that are direct 
discharge or referral of a provide the NPP to their treatment providers 
patient, and the patients and attempt to for TPO under 
appointment of a obtain a written HIPAA requires 
guardian, respectively. acknowledgment of compliance with the 
receipt of the NPP. requirements for the 
HIPAA NPP 
acknowledgment, 
HIPAA is more 
stringent than state 
law. 
Thus, CEs that are 
direct treatment 
providers may 
disclose PHI for 
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purposes of 
involuntary 
detention, discharge 
or referral of a 
patient, and the 
appointment of a 
guardian only if they 
comply with the 
more stringent 
requirements for the 
HIPAA NPP 
acknowledgment. 
Notification of Serious Threat to Health or No State e A mental retardation 
Unauthorized Absence Safety facility may disclose 
from a Mental Retardation | §164.512(j)(1)(ii) such PHI as is 
Facility e ACE may, consistent necessary to request 
§633.140 with applicable law and the sheriff to 
e@ When a resident of a ethical standards, disclose apprehend an 
mental retardation PHI if the CE has a good individual who is 
facility is absent without faith belief that such absent from such 
authorization, the facility disclosure is necessary for facility without 
may request the sheriff to law enforcement authorization 
apprehend the resident authorities to identify or because the 
and return him to the apprehend an individual individual has 
facility. because of the effectively escaped 
individual’s involvement from lawful custody. 
in a violent crime or 
where the individual has 
escaped from a 
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correctional institution or 
other form of lawful 
custody as it is defined 
under HIPAA. 
po Department of Social Services 
Abuse: Protective Services | As Required by Law Yes HIPAA e@ CEs may report the 
§§660.250, 660.255 660.260, | §164.512(a) need for protective 
660.261 and 660.263, e CEs may use or disclose services and provide 
660.270, 660.275, 660.285, PHI without giving the PHI pursuant to an 
660.290, 660.300, 660.305, individual the opportunity investigation of such 
660.310, 660.315 to agree or object and report without 
without an authorization if violating HIPAA 
§$660.255, 660.260, 660.261 it is required by law and is when such reports 
e These statutes require limited to the and investigations 
reporting and requirements of such law. are required by law. 
investigation concerning e However, even if 
the need for protective Victims of Abuse, Neglect or reports of elder 
services to “eligible Domestic Violence abuse are required 
adults” who are likely to | §164.512(c) by law, HIPAA adds 
suffer serious harm. e Except for reports of child the additional 
abuse, CEs may report requirement of 
§660.250 abuse, neglect or domestic notice to the 
e Eligible adult is defined violence to the extent such individual being 
as a person 60 years of disclosure is required by abused. To that 
age or older (or a person law as long as the extent, HIPAA is 
between 18 and 59 witha disclosure conforms to more stringent. 
mental disability) who is that law. e Also, to the extent 
unable to protect his/her | @e CEs may report such reports of elder 
own interests or abuse as authorized by abuse are permitted 
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adequately perform or law only if but not required, 
obtain services necessary 1. The CE reasonably HIPAA has 
to meet essential human believes that additional 
needs. disclosure is necessary requirements for 
to prevent serious reporting as well as 
§§660.263, 660.320, and harm to the individual the additional notice 
660.321 or other potential requirement and is 
e Confidentiality of reports victims OR therefore more 
and investigations. 2. The individual is stringent. 
e Except that DSS shall unable to agree to the e Thus, CEs may only 
provide access to reports disclosure due to report under state 
by the Missouri incapacity and the law if HIPAA would 
Department of Labor public official also allow such 
(660.320) and law authorized to receive reporting and, if they 
enforcement agencies, the PHI represents that do report, they must 
guardians, DMH, the the PHI is not intended comply with the 
eligible adult, and DSS to be used against the notice requirement 
(660.321). individual and under HIPAA. 
immediate 
§660.270 enforcement activity 
e Procedure when report that depends upon the 
involves abuse or disclosure would be 
neglect. materially and 
e Permits DSS to request a adversely affected by 
watrant or injunction waiting until the 
from a court if necessary. individual is able to 
agree to the disclosure. 
§660.275 e If the CE discloses PHI 
e Permits DSS to petition pursuant to this section of 
the court when an HIPAA, it must inform 
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individual attempts to the individual of the 
interfere with protective disclosure except for 
services being provided certain delineated 
to an eligible adult. situations where the safety 
of the individual is at risk. 
§660.280 
e Requires DSS to petition | Serious Threat to Health or | Yes HIPAA e In addition, 
the court if an eligible Safety disclosures that are 
adult is unable to consent | §164.512(j)(1)(@i) permitted but not 
and the guardian refuses | @ CEs may, consistent with required would 
to provide or allow applicable law and ethical likely be permissible 
protective services. standards, disclose PHI if under the HIPAA 
they have a good faith exception regarding 
§660.285 belief that such disclosure a serious threat to 
e Permits DSS to initiate is necessary to prevent or health or safety, but 
proceedings to have a lessen a serious and the disclosure must 
guardian appointed. imminent threat to the meet the 
health or safety of a requirements under 
§660.290 person or the public AND HIPAA regarding 
e Permits law enforcement the disclosure is to a the necessity of 
officer to initiate person reasonably able to preventing or 
placement of an eligible prevent or lessen such lessening a serious 
adult without capacity to threat. and imminent threat 
consent for involuntary and ability of the 
treatment in certain person receiving the 
circumstances (not information to 
mental health treatment prevent or lessen the 
unless fits into threat. 
involuntary commitment 
statutes in Chapter 632). 
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e Permits DSS or head of | Hybrid Entity No State e In addition, to the 
medical facility to obtain | §164.504(a) extent disclosures by 
a warrant, if necessary, to | e A hybrid entity is a type DSS are related to 
enter the premises and of covered entity that has the function of DSS 
remove the eligible adult. covered and non-covered as a health oversight 

e Requires DSS or head of functions. Such entities agency and not as a 
medical facility to obtain have the obligation to covered health care 
a court order for further designate their health care provider, HIPAA 
treatment. components. does not prohibit 

e The court shall conduct a such disclosures. 
hearing and appoint a Health Care Component 
guardian ad litem. §164.504(b) 

e Eligible adult with e HIPAA only applies to the 
capacity has the right to health care component of 
refuse or discontinue a hybrid entity. 
services. 

Judicial and Administrative | Yes HIPAA Once a petition is 

§660.300 Proceedings filed in court 

e Requires reporting of §164.512(e)(1)(i) pursuant to the state 
abuse of in-home e CEmay disclose PHI in law provisions, 
services clients by a the course of any judicial disclosure of PHI is 
designated list of or administrative permissible under 
individuals under certain proceeding in response to HIPAA, but only if 
circumstances. an order by the court or the HIPAA 

e Permits reporting of such administrative tribunal or, requirements for 
abuse by other if certain requirements are judicial and 
individuals. met, in response to a administrative 

e Requires case manager to subpoena, discovery proceedings are met. 
investigate such reports. request or other lawful 

e Permits DSS or local process. 
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prosecuting attorney to 
file a petition for 
temporary care but, upon 
the request of DSS, the 
attorney general must file 
such a petition. 

e Reports shall be 
confidential. 

e Civil and administrative 
penalties. 

e Prohibits retaliation 
based on reporting. 


§660.305 

e Permits reporting of 
financial mis- 
appropriation of client 
funds or the falsification 
of documents regarding 
the delivery of services. 

e Requires DSS to 
investigate and report 
violations to appropriate 
law enforcement agency. 


§660.310 

e Review by the 
Administrative Hearing 
Commission. 
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§660.315 
e Requires notification of 
individuals when they are 
placed on the employee 
disqualification list. 
e Requires a hearing when 
individuals challenge the 
decision to place them on 
the list. 
Records Disclosed Health Oversight Activities No State e CEs may disclose 
§660.321 §164.512(d) PHI to DHSS and 
e Allows disclosure of e CEs may disclose PHI to DMH without 
medical records of an health oversight agencies for violating HIPAA 
adult being served by oversight activities because disclosure is 
DHSS when ordered bya | authorized by law, including a health oversight 
court or for examination audits, investigations, activity. 
and copying to the inspections, licensure etc. 
following: DHSS; AG; 
Dept. of Mental Health; Judicial and Administrative No State e CEs may disclose 
any appropriate law Proceedings PHI pursuant to a 
enforcement agency; and | §164.512(e)(1)() court order to AG 
the eligible adult or e CEs may disclose PHI in without violating 
guardian. the course of any judicial or HIPAA. 
administrative proceeding in 
response to an order by the 
court or administrative 
tribunal or, if certain 
circumstances are met, in 
response to a subpoena, 
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discovery request or other 
lawful process. 
Law Enforcement Purposes | Yes HIPAA e CEs may not disclose 
§164.512(f) PHI to law 
e CEs may disclose PHI in enforcement without 
compliance with a court a court order, warrant, 
order, court-ordered subpoena, summons 
warrant, subpoena or or administrative 
summons issued by a request pursuant to 
judicial officer, grand jury HIPAA. 
subpoena or, if certain 
requirements are met, an 
administrative request. 
Personal Representatives: No State e CEs may disclose 
Adults and Emancipated PHI to a person 
Minors acting on behalf of an 
§164.5502(g)(2) adult without 
e ACE may use or disclose violating HIPAA if 
PHI to a person who has for decisions related 
authority to act on behalf of to healthcare. 
an adult or emancipated 
minor in making decisions 
related to health care. 
Adult Day Care Programs: | Health Oversight Activities No State e To the extent they 
Investigation and §164.512(d) are CEs, adult day 
Oversight e CEs may disclose PHI to care programs may 
§§660.407 and 660.414 health oversight agencies disclose PHI to the 
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e The Division of Aging for oversight activities Division of Aging as 
(part of DHSS) is authorized by law, part of a compliance 
authorized to conduct including audits, investigation without 
compliance investigations, violating HIPAA 
investigations in licensed inspections, licensure etc. because it is a 
and unlicensed adult day permissible health 
care programs. oversight activity. 

Child Sexual Abuse Cases | As Required by Law No State e Because 

§660.520 §164.512(a) investigation by the 

e Establishes the “State e CEs may use or disclose Team is required by 
Technical Assistance PHI without giving the law, it is permissible 
Team,” which is required individual the opportunity under HIPAA. 
to assist various agencies to agree or object and e Investigation of 
in the investigation of without an authorization if child abuse or 
child abuse, child it is required by law and is neglect as required 
neglect, child sexual limited to the under state law is 
abuse, child exploitation, requirements of such law. permissible without 
child pornography, or violating HIPAA 
child fatality. Preemption Exception because such 

e Reports and records §160.203(c) investigation is 
relating to criminal e Generally, HIPAA exempted from 
investigations handled by preempts contrary state preemption and 
the Team must be made laws. disclosure is 
available in the same e@ One exception to that rule required by law 
manner as other law is when the state law and/or is a 
enforcement reports as provides for the reporting permissible public 
set forth in §§610.100 to of disease or injury, child health activity. 
610.200 and to abuse, birth or death, or 
individuals as provided for the conduct of public 
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in §210.150. health surveillance, 
investigation or 
intervention. 
Public Health Activities 
§164.512(b) 
e CEs may disclose PHI to a 
public health authority 
authorized to receive such 
information for the 
purpose of preventing or 
controlling disease, injury 
or disability. 
Long-Term Care Facilities: | Health Oversight Activities Yes State e Under Missouri law, 
Ombudsman for Residents | §164.512(d) long-term care 
§$660.603 e CEs may disclose PHI to facilities may allow 
e The Office of the State health oversight agencies the ombudsman 
Ombudsman for Long- for oversight activities general access to 
Term Care Facility authorized by law, patients on a 
Residents is part of the including audits, reasonable basis but 
Division of Aging, which investigations, may only allow 
is now part of DHSS. inspections, licensure etc. access to a resident’s 
e The ombudsman has the records if the 
authority to enter any resident consents. 
long-term care facility The requirement of 
and have reasonable patient consent for 
access to residents. access to patient 
e The ombudsman may records is more 
access the records of stringent than 
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residents for general HIPAA and must be 
purposes if the resident followed, even 
consents. though HIPAA 
would otherwise 
allow such access as 
part of health 
oversight activities. 
e However, the No State If the ombudsman is 
ombudsman has the in the facility for the 
authority to review any investigation of a 
information he or she specific complaint, 
deems relevant to the the CE may disclose 
investigation and PHI, including the 
verification of specific records of residents, 
complaints. to the extent it is 
necessary for such 
investigation without 
obtaining the 
patient’s consent and 
without violating 
HIPAA because it is 
a permissible health 
oversight activity. 
Long-Term Care Facilities: | Covered Entity No State Because the state 
Ombudsman’s Records §160.103 law limitations on 
§660.605 e A covered entity includes disclosure by the 
e The ombudsman’s health care providers that ombudsman relate to 
records are confidential. transmit health the function of 
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e The identity of any information in electronic DHSS as a health 
resident of a long-term form in connection with a oversight agency 
care facility may not be transaction covered by and not as a covered 
disclosed by the HIPAA. health care provider, 
ombudsman unless the HIPAA does not 
resident consents or as Hybrid Entity regulate such 
required by a court order. | §164.504(a) disclosure. 

e A hybrid entity is a type e Thus, disclosure by 
of covered entity that has the ombudsman is 
covered and non-covered governed by state 
functions. Such entities law. 
have the obligation to 
designate their health care 
components. 

Health Care Component 

§164.504(b) 

e HIPAA only applies to the 
health care component of 
a hybrid entity. 

Elderly Advocate Health Oversight Activities No State e To the extent a CE is 

Investigation §164.512(d) responding to a 

§660.620 e CEs may disclose PHI to request by an elderly 

e Anelderly advocate health oversight agencies advocate during the 
working for the Office of for oversight activities course of an 
Advocacy and Assistance authorized by law, investigation within 
for the Elderly within the including audits, the scope of the 
Office of the Lieutenant investigations, advocate’s authority, 
Governor is required by inspections, licensure etc. the CE may disclose 

228 


1664508.6 


*This document does not address electronic signatures or contracts under federal law. Under Missouri law, electronic records, contracts and signatures are legal 


and enforceable in accordance with the law per RSMo. §432.230. 














Missouri Statute HIPAA Privacy Regulations | Con- | State Law | Discussion and Implications for 
flict? | or HIPAA? | Conclusion Electronic HIE 
law to conduct PHI without 
investigation of violating HIPAA 
complaints within their because it is a 
scope of authority. permissible health 
oversight activity. 
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